CINXE.COM

Subresource Integrity - Security on the web | MDN

<!doctype html><html lang="en-US" prefix="og: https://ogp.me/ns#"><head><meta charSet="utf-8"/><meta name="viewport" content="width=device-width,initial-scale=1"/><link rel="icon" href="https://developer.mozilla.org/favicon-48x48.bc390275e955dacb2e65.png"/><link rel="apple-touch-icon" href="https://developer.mozilla.org/apple-touch-icon.528534bba673c38049c2.png"/><meta name="theme-color" content="#ffffff"/><link rel="manifest" href="https://developer.mozilla.org/manifest.f42880861b394dd4dc9b.json"/><link rel="search" type="application/opensearchdescription+xml" href="/opensearch.xml" title="MDN Web Docs"/><title>Subresource Integrity - Security on the web | MDN</title><link rel="alternate" title="Subresource Integrity" href="https://developer.mozilla.org/de/docs/Web/Security/Subresource_Integrity" hrefLang="de"/><link rel="alternate" title="Subresource Integrity" href="https://developer.mozilla.org/fr/docs/Web/Security/Subresource_Integrity" hrefLang="fr"/><link rel="alternate" title="サブリソース完全性" href="https://developer.mozilla.org/ja/docs/Web/Security/Subresource_Integrity" hrefLang="ja"/><link rel="alternate" title="하위 리소스 무결성" href="https://developer.mozilla.org/ko/docs/Web/Security/Subresource_Integrity" hrefLang="ko"/><link rel="alternate" title="子资源完整性" href="https://developer.mozilla.org/zh-CN/docs/Web/Security/Subresource_Integrity" hrefLang="zh"/><link rel="alternate" title="Subresource Integrity" href="https://developer.mozilla.org/en-US/docs/Web/Security/Subresource_Integrity" hrefLang="en"/><link rel="preload" as="font" type="font/woff2" href="/static/media/Inter.var.c2fe3cb2b7c746f7966a.woff2" crossorigin=""/><link rel="alternate" type="application/rss+xml" title="MDN Blog RSS Feed" href="https://developer.mozilla.org/en-US/blog/rss.xml" hrefLang="en"/><meta name="description" content="Subresource Integrity (SRI) is a security feature that enables browsers to verify that resources they fetch (for example, from a CDN) are delivered without unexpected manipulation. It works by allowing you to provide a cryptographic hash that a fetched resource must match."/><meta property="og:url" content="https://developer.mozilla.org/en-US/docs/Web/Security/Subresource_Integrity"/><meta property="og:title" content="Subresource Integrity - Security on the web | MDN"/><meta property="og:type" content="website"/><meta property="og:locale" content="en_US"/><meta property="og:description" content="Subresource Integrity (SRI) is a security feature that enables browsers to verify that resources they fetch (for example, from a CDN) are delivered without unexpected manipulation. It works by allowing you to provide a cryptographic hash that a fetched resource must match."/><meta property="og:image" content="https://developer.mozilla.org/mdn-social-share.d893525a4fb5fb1f67a2.png"/><meta property="og:image:type" content="image/png"/><meta property="og:image:height" content="1080"/><meta property="og:image:width" content="1920"/><meta property="og:image:alt" content="The MDN Web Docs logo, featuring a blue accent color, displayed on a solid black background."/><meta property="og:site_name" content="MDN Web Docs"/><meta name="twitter:card" content="summary_large_image"/><meta name="twitter:creator" content="MozDevNet"/><link rel="canonical" href="https://developer.mozilla.org/en-US/docs/Web/Security/Subresource_Integrity"/><style media="print">.article-actions-container,.document-toc-container,.language-menu,.main-menu-toggle,.on-github,.page-footer,.place,.sidebar,.top-banner,.top-navigation-main,ul.prev-next{display:none!important}.main-page-content,.main-page-content pre{padding:2px}.main-page-content pre{border-left-width:2px}</style><script src="/static/js/gtag.js" defer=""></script><script defer="" src="/static/js/main.1b60bff1.js"></script><link href="/static/css/main.959b5ea9.css" rel="stylesheet"/></head><body><script>if(document.body.addEventListener("load",(t=>{t.target.classList.contains("interactive")&&t.target.setAttribute("data-readystate","complete")}),{capture:!0}),window&&document.documentElement){const t={light:"#ffffff",dark:"#1b1b1b"};try{const e=window.localStorage.getItem("theme");e&&(document.documentElement.className=e,document.documentElement.style.backgroundColor=t[e]);const o=window.localStorage.getItem("nop");o&&(document.documentElement.dataset.nop=o)}catch(t){console.warn("Unable to read theme from localStorage",t)}}</script><div id="root"><ul id="nav-access" class="a11y-nav"><li><a id="skip-main" href="#content">Skip to main content</a></li><li><a id="skip-search" href="#top-nav-search-input">Skip to search</a></li><li><a id="skip-select-language" href="#languages-switcher-button">Skip to select language</a></li></ul><div class="page-wrapper category-web document-page"><div class="top-banner loading"><section class="place top container"></section></div><div class="sticky-header-container"><header class="top-navigation "><div class="container "><div class="top-navigation-wrap"><a href="/en-US/" class="logo" aria-label="MDN homepage"><svg id="mdn-docs-logo" xmlns="http://www.w3.org/2000/svg" x="0" y="0" viewBox="0 0 694.9 104.4" style="enable-background:new 0 0 694.9 104.4" xml:space="preserve" role="img"><title>MDN Web Docs</title><path d="M40.3 0 11.7 92.1H0L28.5 0h11.8zm10.4 0v92.1H40.3V0h10.4zM91 0 62.5 92.1H50.8L79.3 0H91zm10.4 0v92.1H91V0h10.4z" class="logo-m"></path><path d="M627.9 95.6h67v8.8h-67v-8.8z" class="logo-_"></path><path d="M367 42h-4l-10.7 30.8h-5.5l-10.8-26h-.4l-10.5 26h-5.2L308.7 42h-3.8v-5.6H323V42h-6.5l6.8 20.4h.4l10.3-26h4.7l11.2 26h.5l5.7-20.3h-6.2v-5.6H367V42zm34.9 20c-.4 3.2-2 5.9-4.7 8.2-2.8 2.3-6.5 3.4-11.3 3.4-5.4 0-9.7-1.6-13.1-4.7-3.3-3.2-5-7.7-5-13.7 0-5.7 1.6-10.3 4.7-14s7.4-5.5 12.9-5.5c5.1 0 9.1 1.6 11.9 4.7s4.3 6.9 4.3 11.3c0 1.5-.2 3-.5 4.7h-25.6c.3 7.7 4 11.6 10.9 11.6 2.9 0 5.1-.7 6.5-2 1.5-1.4 2.5-3 3-4.9l6 .9zM394 51.3c.2-2.4-.4-4.7-1.8-6.9s-3.8-3.3-7-3.3c-3.1 0-5.3 1-6.9 3-1.5 2-2.5 4.4-2.8 7.2H394zm51 2.4c0 5-1.3 9.5-4 13.7s-6.9 6.2-12.7 6.2c-6 0-10.3-2.2-12.7-6.7-.1.4-.2 1.4-.4 2.9s-.3 2.5-.4 2.9h-7.3c.3-1.7.6-3.5.8-5.3.3-1.8.4-3.7.4-5.5V22.3h-6v-5.6H416v27c1.1-2.2 2.7-4.1 4.7-5.7 2-1.6 4.8-2.4 8.4-2.4 4.6 0 8.4 1.6 11.4 4.7 3 3.2 4.5 7.6 4.5 13.4zm-7.7.6c0-4.2-1-7.4-3-9.5-2-2.2-4.4-3.3-7.4-3.3-3.4 0-6 1.2-8 3.7-1.9 2.4-2.9 5-3 7.7V57c0 3 1 5.6 3 7.7s4.5 3.1 7.6 3.1c3.6 0 6.3-1.3 8.1-3.9 1.8-2.7 2.7-5.9 2.7-9.6zm69.2 18.5h-13.2v-7.2c-1.2 2.2-2.8 4.1-4.9 5.6-2.1 1.6-4.8 2.4-8.3 2.4-4.8 0-8.7-1.6-11.6-4.9-2.9-3.2-4.3-7.7-4.3-13.3 0-5 1.3-9.6 4-13.7 2.6-4.1 6.9-6.2 12.8-6.2 5.7 0 9.8 2.2 12.3 6.5V22.3h-8.6v-5.6h15.8v50.6h6v5.5zM493.2 56v-4.4c-.1-3-1.2-5.5-3.2-7.3s-4.4-2.8-7.2-2.8c-3.6 0-6.3 1.3-8.2 3.9-1.9 2.6-2.8 5.8-2.8 9.6 0 4.1 1 7.3 3 9.5s4.5 3.3 7.4 3.3c3.2 0 5.8-1.3 7.8-3.8 2.1-2.6 3.1-5.3 3.2-8zm53.1-1.4c0 5.6-1.8 10.2-5.3 13.7s-8.2 5.3-13.9 5.3-10.1-1.7-13.4-5.1c-3.3-3.4-5-7.9-5-13.5 0-5.3 1.6-9.9 4.7-13.7 3.2-3.8 7.9-5.7 14.2-5.7s11 1.9 14.1 5.7c3 3.7 4.6 8.1 4.6 13.3zm-7.7-.2c0-4-1-7.2-3-9.5s-4.8-3.5-8.2-3.5c-3.6 0-6.4 1.2-8.3 3.7s-2.9 5.6-2.9 9.5c0 3.7.9 6.8 2.8 9.4 1.9 2.6 4.6 3.9 8.3 3.9 3.6 0 6.4-1.3 8.4-3.8 1.9-2.6 2.9-5.8 2.9-9.7zm45 5.8c-.4 3.2-1.9 6.3-4.4 9.1-2.5 2.9-6.4 4.3-11.8 4.3-5.2 0-9.4-1.6-12.6-4.8-3.2-3.2-4.8-7.7-4.8-13.7 0-5.5 1.6-10.1 4.7-13.9 3.2-3.8 7.6-5.7 13.2-5.7 2.3 0 4.6.3 6.7.8 2.2.5 4.2 1.5 6.2 2.9l1.5 9.5-5.9.7-1.3-6.1c-2.1-1.2-4.5-1.8-7.2-1.8-3.5 0-6.1 1.2-7.7 3.7-1.7 2.5-2.5 5.7-2.5 9.6 0 4.1.9 7.3 2.7 9.5 1.8 2.3 4.4 3.4 7.8 3.4 5.2 0 8.2-2.9 9.2-8.8l6.2 1.3zm34.7 1.9c0 3.6-1.5 6.5-4.6 8.5s-7 3-11.7 3c-5.7 0-10.6-1.2-14.6-3.6l1.2-8.8 5.7.6-.2 4.7c1.1.5 2.3.9 3.6 1.1s2.6.3 3.9.3c2.4 0 4.5-.4 6.5-1.3 1.9-.9 2.9-2.2 2.9-4.1 0-1.8-.8-3.1-2.3-3.8s-3.5-1.3-5.8-1.7-4.6-.9-6.9-1.4c-2.3-.6-4.2-1.6-5.7-2.9-1.6-1.4-2.3-3.5-2.3-6.3 0-4.1 1.5-6.9 4.6-8.5s6.4-2.4 9.9-2.4c2.6 0 5 .3 7.2.9 2.2.6 4.3 1.4 6.1 2.4l.8 8.8-5.8.7-.8-5.7c-2.3-1-4.7-1.6-7.2-1.6-2.1 0-3.7.4-5.1 1.1-1.3.8-2 2-2 3.8 0 1.7.8 2.9 2.3 3.6 1.5.7 3.4 1.2 5.7 1.6 2.2.4 4.5.8 6.7 1.4 2.2.6 4.1 1.6 5.7 3 1.4 1.6 2.2 3.7 2.2 6.6zM197.6 73.2h-17.1v-5.5h3.8V51.9c0-3.7-.7-6.3-2.1-7.9-1.4-1.6-3.3-2.3-5.7-2.3-3.2 0-5.6 1.1-7.2 3.4s-2.4 4.6-2.5 6.9v15.6h6v5.5h-17.1v-5.5h3.8V51.9c0-3.8-.7-6.4-2.1-7.9-1.4-1.5-3.3-2.3-5.6-2.3-3.2 0-5.5 1.1-7.2 3.3-1.6 2.2-2.4 4.5-2.5 6.9v15.8h6.9v5.5h-20.2v-5.5h6V42.4h-6.1v-5.6h13.4v6.4c1.2-2.1 2.7-3.8 4.7-5.2 2-1.3 4.4-2 7.3-2s5.3.7 7.5 2.1c2.2 1.4 3.7 3.5 4.5 6.4 1.1-2.5 2.7-4.5 4.9-6.1s4.8-2.4 7.9-2.4c3.5 0 6.5 1.1 8.9 3.3s3.7 5.6 3.7 10.2v18.2h6.1v5.5zm42.5 0h-13.2V66c-1.2 2.2-2.8 4.1-4.9 5.6-2.1 1.6-4.8 2.4-8.3 2.4-4.8 0-8.7-1.6-11.6-4.9-2.9-3.2-4.3-7.7-4.3-13.3 0-5 1.3-9.6 4-13.7 2.6-4.1 6.9-6.2 12.8-6.2s9.8 2.2 12.3 6.5V22.7h-8.6v-5.6h15.8v50.6h6v5.5zm-13.3-16.8V52c-.1-3-1.2-5.5-3.2-7.3s-4.4-2.8-7.2-2.8c-3.6 0-6.3 1.3-8.2 3.9-1.9 2.6-2.8 5.8-2.8 9.6 0 4.1 1 7.3 3 9.5s4.5 3.3 7.4 3.3c3.2 0 5.8-1.3 7.8-3.8 2.1-2.6 3.1-5.3 3.2-8zm61.5 16.8H269v-5.5h6V51.9c0-3.7-.7-6.3-2.2-7.9-1.4-1.6-3.4-2.3-5.7-2.3-3.1 0-5.6 1-7.4 3s-2.8 4.4-2.9 7v15.9h6v5.5h-19.3v-5.5h6V42.4h-6.2v-5.6h13.6V43c2.6-4.6 6.8-6.9 12.7-6.9 3.6 0 6.7 1.1 9.2 3.3s3.7 5.6 3.7 10.2v18.2h6v5.4h-.2z" class="logo-text"></path></svg></a><button title="Open main menu" type="button" class="button action has-icon main-menu-toggle" aria-haspopup="menu" aria-label="Open main menu" aria-expanded="false"><span class="button-wrap"><span class="icon icon-menu "></span><span class="visually-hidden">Open main menu</span></span></button></div><div class="top-navigation-main"><nav class="main-nav" aria-label="Main menu"><ul class="main-menu nojs"><li class="top-level-entry-container active"><button type="button" id="references-button" class="top-level-entry menu-toggle" aria-controls="references-menu" aria-expanded="false">References</button><a href="/en-US/docs/Web" class="top-level-entry">References</a><ul id="references-menu" class="submenu references hidden inline-submenu-lg" aria-labelledby="references-button"><li class="apis-link-container mobile-only "><a href="/en-US/docs/Web" class="submenu-item "><div class="submenu-icon"></div><div class="submenu-content-container"><div class="submenu-item-heading">Overview / Web Technology</div><p class="submenu-item-description">Web technology reference for developers</p></div></a></li><li class="html-link-container "><a href="/en-US/docs/Web/HTML" class="submenu-item "><div class="submenu-icon html"></div><div class="submenu-content-container"><div class="submenu-item-heading">HTML</div><p class="submenu-item-description">Structure of content on the web</p></div></a></li><li class="css-link-container "><a href="/en-US/docs/Web/CSS" class="submenu-item "><div class="submenu-icon css"></div><div class="submenu-content-container"><div class="submenu-item-heading">CSS</div><p class="submenu-item-description">Code used to describe document style</p></div></a></li><li class="javascript-link-container "><a href="/en-US/docs/Web/JavaScript" class="submenu-item "><div class="submenu-icon javascript"></div><div class="submenu-content-container"><div class="submenu-item-heading">JavaScript</div><p class="submenu-item-description">General-purpose scripting language</p></div></a></li><li class="http-link-container "><a href="/en-US/docs/Web/HTTP" class="submenu-item "><div class="submenu-icon http"></div><div class="submenu-content-container"><div class="submenu-item-heading">HTTP</div><p class="submenu-item-description">Protocol for transmitting web resources</p></div></a></li><li class="apis-link-container "><a href="/en-US/docs/Web/API" class="submenu-item "><div class="submenu-icon apis"></div><div class="submenu-content-container"><div class="submenu-item-heading">Web APIs</div><p class="submenu-item-description">Interfaces for building web applications</p></div></a></li><li class="apis-link-container "><a href="/en-US/docs/Mozilla/Add-ons/WebExtensions" class="submenu-item "><div class="submenu-icon"></div><div class="submenu-content-container"><div class="submenu-item-heading">Web Extensions</div><p class="submenu-item-description">Developing extensions for web browsers</p></div></a></li><li class="apis-link-container desktop-only "><a href="/en-US/docs/Web" class="submenu-item "><div class="submenu-icon"></div><div class="submenu-content-container"><div class="submenu-item-heading">Web Technology</div><p class="submenu-item-description">Web technology reference for developers</p></div></a></li></ul></li><li class="top-level-entry-container "><button type="button" id="guides-button" class="top-level-entry menu-toggle" aria-controls="guides-menu" aria-expanded="false">Guides</button><a href="/en-US/docs/Learn" class="top-level-entry">Guides</a><ul id="guides-menu" class="submenu guides hidden inline-submenu-lg" aria-labelledby="guides-button"><li class="apis-link-container mobile-only "><a href="/en-US/docs/Learn" class="submenu-item "><div class="submenu-icon learn"></div><div class="submenu-content-container"><div class="submenu-item-heading">Overview / MDN Learning Area</div><p class="submenu-item-description">Learn web development</p></div></a></li><li class="apis-link-container desktop-only "><a href="/en-US/docs/Learn" class="submenu-item "><div class="submenu-icon learn"></div><div class="submenu-content-container"><div class="submenu-item-heading">MDN Learning Area</div><p class="submenu-item-description">Learn web development</p></div></a></li><li class="html-link-container "><a href="/en-US/docs/Learn/HTML" class="submenu-item "><div class="submenu-icon html"></div><div class="submenu-content-container"><div class="submenu-item-heading">HTML</div><p class="submenu-item-description">Learn to structure web content with HTML</p></div></a></li><li class="css-link-container "><a href="/en-US/docs/Learn/CSS" class="submenu-item "><div class="submenu-icon css"></div><div class="submenu-content-container"><div class="submenu-item-heading">CSS</div><p class="submenu-item-description">Learn to style content using CSS</p></div></a></li><li class="javascript-link-container "><a href="/en-US/docs/Learn/JavaScript" class="submenu-item "><div class="submenu-icon javascript"></div><div class="submenu-content-container"><div class="submenu-item-heading">JavaScript</div><p class="submenu-item-description">Learn to run scripts in the browser</p></div></a></li><li class=" "><a href="/en-US/docs/Web/Accessibility" class="submenu-item "><div class="submenu-icon"></div><div class="submenu-content-container"><div class="submenu-item-heading">Accessibility</div><p class="submenu-item-description">Learn to make the web accessible to all</p></div></a></li></ul></li><li class="top-level-entry-container "><button type="button" id="mdn-plus-button" class="top-level-entry menu-toggle" aria-controls="mdn-plus-menu" aria-expanded="false">Plus</button><a href="/en-US/plus" class="top-level-entry">Plus</a><ul id="mdn-plus-menu" class="submenu mdn-plus hidden inline-submenu-lg" aria-labelledby="mdn-plus-button"><li class=" "><a href="/en-US/plus" class="submenu-item "><div class="submenu-icon"></div><div class="submenu-content-container"><div class="submenu-item-heading">Overview</div><p class="submenu-item-description">A customized MDN experience</p></div></a></li><li class=" "><a href="/en-US/plus/ai-help" class="submenu-item "><div class="submenu-icon"></div><div class="submenu-content-container"><div class="submenu-item-heading">AI Help</div><p class="submenu-item-description">Get real-time assistance and support</p></div></a></li><li class=" "><a href="/en-US/plus/updates" class="submenu-item "><div class="submenu-icon"></div><div class="submenu-content-container"><div class="submenu-item-heading">Updates</div><p class="submenu-item-description">All browser compatibility updates at a glance</p></div></a></li><li class=" "><a href="/en-US/plus/docs/features/overview" class="submenu-item "><div class="submenu-icon"></div><div class="submenu-content-container"><div class="submenu-item-heading">Documentation</div><p class="submenu-item-description">Learn how to use MDN Plus</p></div></a></li><li class=" "><a href="/en-US/plus/docs/faq" class="submenu-item "><div class="submenu-icon"></div><div class="submenu-content-container"><div class="submenu-item-heading">FAQ</div><p class="submenu-item-description">Frequently asked questions about MDN Plus</p></div></a></li></ul></li><li class="top-level-entry-container "><a class="top-level-entry menu-link" href="/en-US/curriculum/">Curriculum <sup class="new">New</sup></a></li><li class="top-level-entry-container "><a class="top-level-entry menu-link" href="/en-US/blog/">Blog</a></li><li class="top-level-entry-container "><button type="button" id="tools-button" class="top-level-entry menu-toggle" aria-controls="tools-menu" aria-expanded="false">Tools</button><ul id="tools-menu" class="submenu tools hidden inline-submenu-lg" aria-labelledby="tools-button"><li class=" "><a href="/en-US/play" class="submenu-item "><div class="submenu-icon"></div><div class="submenu-content-container"><div class="submenu-item-heading">Playground</div><p class="submenu-item-description">Write, test and share your code</p></div></a></li><li class=" "><a href="/en-US/observatory" class="submenu-item "><div class="submenu-icon"></div><div class="submenu-content-container"><div class="submenu-item-heading">HTTP Observatory</div><p class="submenu-item-description">Scan a website for free</p></div></a></li><li class=" "><a href="/en-US/plus/ai-help" class="submenu-item "><div class="submenu-icon"></div><div class="submenu-content-container"><div class="submenu-item-heading">AI Help</div><p class="submenu-item-description">Get real-time assistance and support</p></div></a></li></ul></li></ul></nav><div class="header-search"><form action="/en-US/search" class="search-form search-widget" id="top-nav-search-form" role="search"><label id="top-nav-search-label" for="top-nav-search-input" class="visually-hidden">Search MDN</label><input aria-activedescendant="" aria-autocomplete="list" aria-controls="top-nav-search-menu" aria-expanded="false" aria-labelledby="top-nav-search-label" autoComplete="off" id="top-nav-search-input" role="combobox" type="search" class="search-input-field" name="q" placeholder="   " required="" value=""/><button type="button" class="button action has-icon clear-search-button"><span class="button-wrap"><span class="icon icon-cancel "></span><span class="visually-hidden">Clear search input</span></span></button><button type="submit" class="button action has-icon search-button"><span class="button-wrap"><span class="icon icon-search "></span><span class="visually-hidden">Search</span></span></button><div id="top-nav-search-menu" role="listbox" aria-labelledby="top-nav-search-label"></div></form></div><div class="theme-switcher-menu"><button type="button" class="button action has-icon theme-switcher-menu small" aria-haspopup="menu"><span class="button-wrap"><span class="icon icon-theme-os-default "></span>Theme</span></button></div><ul class="auth-container"><li><a href="/users/fxa/login/authenticate/?next=%2Fen-US%2Fdocs%2FWeb%2FSecurity%2FSubresource_Integrity" class="login-link" rel="nofollow">Log in</a></li><li><a href="/users/fxa/login/authenticate/?next=%2Fen-US%2Fdocs%2FWeb%2FSecurity%2FSubresource_Integrity" target="_self" rel="nofollow" class="button primary mdn-plus-subscribe-link"><span class="button-wrap">Sign up for free</span></a></li></ul></div></div></header><div class="article-actions-container"><div class="container"><button type="button" class="button action has-icon sidebar-button" aria-label="Expand sidebar" aria-expanded="false" aria-controls="sidebar-quicklinks"><span class="button-wrap"><span class="icon icon-sidebar "></span></span></button><nav class="breadcrumbs-container" aria-label="Breadcrumb"><ol typeof="BreadcrumbList" vocab="https://schema.org/" aria-label="breadcrumbs"><li property="itemListElement" typeof="ListItem"><a href="/en-US/docs/Web" class="breadcrumb" property="item" typeof="WebPage"><span property="name">References</span></a><meta property="position" content="1"/></li><li property="itemListElement" typeof="ListItem"><a href="/en-US/docs/Web/Security" class="breadcrumb" property="item" typeof="WebPage"><span property="name">Security on the web</span></a><meta property="position" content="2"/></li><li property="itemListElement" typeof="ListItem"><a href="/en-US/docs/Web/Security/Subresource_Integrity" class="breadcrumb-current-page" property="item" typeof="WebPage"><span property="name">Subresource Integrity</span></a><meta property="position" content="3"/></li></ol></nav><div class="article-actions"><button type="button" class="button action has-icon article-actions-toggle" aria-label="Article actions"><span class="button-wrap"><span class="icon icon-ellipses "></span><span class="article-actions-dialog-heading">Article Actions</span></span></button><ul class="article-actions-entries"><li class="article-actions-entry"><div class="languages-switcher-menu open-on-focus-within"><button id="languages-switcher-button" type="button" class="button action small has-icon languages-switcher-menu" aria-haspopup="menu"><span class="button-wrap"><span class="icon icon-language "></span>English (US)</span></button><div class="hidden"><ul class="submenu language-menu " aria-labelledby="language-menu-button"><li class=" "><form class="submenu-item locale-redirect-setting"><div class="group"><label class="switch"><input type="checkbox" name="locale-redirect"/><span class="slider"></span><span class="label">Remember language</span></label><a href="https://github.com/orgs/mdn/discussions/739" rel="external noopener noreferrer" target="_blank" title="Enable this setting to automatically switch to this language when it&#x27;s available. (Click to learn more.)"><span class="icon icon-question-mark "></span></a></div></form></li><li class=" "><a data-locale="de" href="/de/docs/Web/Security/Subresource_Integrity" class="button submenu-item"><span>Deutsch</span><span title="Diese Übersetzung ist Teil eines Experiments."><span class="icon icon-experimental "></span></span></a></li><li class=" "><a data-locale="fr" href="/fr/docs/Web/Security/Subresource_Integrity" class="button submenu-item"><span>Français</span></a></li><li class=" "><a data-locale="ja" href="/ja/docs/Web/Security/Subresource_Integrity" class="button submenu-item"><span>日本語</span></a></li><li class=" "><a data-locale="ko" href="/ko/docs/Web/Security/Subresource_Integrity" class="button submenu-item"><span>한국어</span></a></li><li class=" "><a data-locale="zh-CN" href="/zh-CN/docs/Web/Security/Subresource_Integrity" class="button submenu-item"><span>中文 (简体)</span></a></li></ul></div></div></li></ul></div></div></div></div><div class="main-wrapper"><div class="sidebar-container"><aside id="sidebar-quicklinks" class="sidebar" data-macro="QuickLinksWithSubpages"><button type="button" class="button action backdrop" aria-label="Collapse sidebar"><span class="button-wrap"></span></button><nav aria-label="Related Topics" class="sidebar-inner"><header class="sidebar-actions"><section class="sidebar-filter-container"><div class="sidebar-filter "><label id="sidebar-filter-label" class="sidebar-filter-label" for="sidebar-filter-input"><span class="icon icon-filter"></span><span class="visually-hidden">Filter sidebar</span></label><input id="sidebar-filter-input" autoComplete="off" class="sidebar-filter-input-field false" type="text" placeholder="Filter" value=""/><button type="button" class="button action has-icon clear-sidebar-filter-button"><span class="button-wrap"><span class="icon icon-cancel "></span><span class="visually-hidden">Clear filter input</span></span></button></div></section></header><div class="sidebar-inner-nav"><div class="in-nav-toc"><div class="document-toc-container"><section class="document-toc"><header><h2 class="document-toc-heading">In this article</h2></header><ul class="document-toc-list"><li class="document-toc-item "><a class="document-toc-link" href="#how_subresource_integrity_helps">How Subresource Integrity helps</a></li><li class="document-toc-item "><a class="document-toc-link" href="#using_subresource_integrity">Using Subresource Integrity</a></li><li class="document-toc-item "><a class="document-toc-link" href="#examples">Examples</a></li><li class="document-toc-item "><a class="document-toc-link" href="#how_browsers_handle_subresource_integrity">How browsers handle Subresource Integrity</a></li><li class="document-toc-item "><a class="document-toc-link" href="#specifications">Specifications</a></li><li class="document-toc-item "><a class="document-toc-link" href="#browser_compatibility">Browser compatibility</a></li><li class="document-toc-item "><a class="document-toc-link" href="#see_also">See also</a></li></ul></section></div></div><div class="sidebar-body"> <ol><li><a href="/en-US/docs/Web/Security/Certificate_Transparency">Certificate Transparency</a></li><li><a href="/en-US/docs/Web/Security/User_activation">Features gated by user activation</a></li><li><a href="/en-US/docs/Web/Security/Firefox_Security_Guidelines">Firefox security guidelines</a></li><li><a href="/en-US/docs/Web/Security/IFrame_credentialless">IFrame credentialless</a></li><li><a href="/en-US/docs/Web/Security/Insecure_passwords">Insecure passwords</a></li><li><a href="/en-US/docs/Web/Security/Mixed_content">Mixed content</a></li><li><a href="/en-US/docs/Web/Security/Practical_implementation_guides">Practical security implementation guides</a><ol><li><a href="/en-US/docs/Web/Security/Practical_implementation_guides">Practical security implementation guides</a></li><li><a href="/en-US/docs/Web/Security/Practical_implementation_guides/Clickjacking">Clickjacking prevention</a></li><li><a href="/en-US/docs/Web/Security/Practical_implementation_guides/Cookies">Secure cookie configuration</a></li><li><a href="/en-US/docs/Web/Security/Practical_implementation_guides/CORP">Cross-Origin Resource Policy (CORP) implementation</a></li><li><a href="/en-US/docs/Web/Security/Practical_implementation_guides/CORS">Cross-Origin Resource Sharing (CORS) configuration</a></li><li><a href="/en-US/docs/Web/Security/Practical_implementation_guides/CSP">Content Security Policy (CSP) implementation</a></li><li><a href="/en-US/docs/Web/Security/Practical_implementation_guides/CSRF_prevention">Cross-site request forgery (CSRF) prevention</a></li><li><a href="/en-US/docs/Web/Security/Practical_implementation_guides/MIME_types">MIME type verification</a></li><li><a href="/en-US/docs/Web/Security/Practical_implementation_guides/Referrer_policy">Referrer policy configuration</a></li><li><a href="/en-US/docs/Web/Security/Practical_implementation_guides/Robots_txt">robots.txt configuration</a></li><li><a href="/en-US/docs/Web/Security/Practical_implementation_guides/SRI">Subresource integrity (SRI) implementation</a></li><li><a href="/en-US/docs/Web/Security/Practical_implementation_guides/TLS">Transport Layer Security (TLS) configuration</a></li><li><a href="/en-US/docs/Web/Security/Practical_implementation_guides/Turning_off_form_autocompletion">How to turn off form autocompletion</a></li></ol></li><li><a href="/en-US/docs/Web/Security/Referer_header:_privacy_and_security_concerns">Referer header: Privacy and security concerns</a></li><li><a href="/en-US/docs/Web/Security/Same-origin_policy">Same-origin policy</a></li><li><a href="/en-US/docs/Web/Security/Secure_Contexts">Secure contexts</a><ol><li><a href="/en-US/docs/Web/Security/Secure_Contexts">Secure contexts</a></li><li><a href="/en-US/docs/Web/Security/Secure_Contexts/features_restricted_to_secure_contexts">Features restricted to secure contexts</a></li></ol></li><li><a href="/en-US/docs/Web/Security/Subdomain_takeovers">Subdomain takeovers</a></li><li><em><a href="/en-US/docs/Web/Security/Subresource_Integrity" aria-current="page">Subresource Integrity</a></em></li><li><a href="/en-US/docs/Web/Security/Transport_Layer_Security">Transport Layer Security</a></li><li><a href="/en-US/docs/Web/Security/Types_of_attacks">Types of attacks</a></li><li><a href="/en-US/docs/Web/Security/Weak_Signature_Algorithm">Weak signature algorithms</a></li></ol> </div></div><section class="place side"></section></nav></aside><div class="toc-container"><aside class="toc"><nav><div class="document-toc-container"><section class="document-toc"><header><h2 class="document-toc-heading">In this article</h2></header><ul class="document-toc-list"><li class="document-toc-item "><a class="document-toc-link" href="#how_subresource_integrity_helps">How Subresource Integrity helps</a></li><li class="document-toc-item "><a class="document-toc-link" href="#using_subresource_integrity">Using Subresource Integrity</a></li><li class="document-toc-item "><a class="document-toc-link" href="#examples">Examples</a></li><li class="document-toc-item "><a class="document-toc-link" href="#how_browsers_handle_subresource_integrity">How browsers handle Subresource Integrity</a></li><li class="document-toc-item "><a class="document-toc-link" href="#specifications">Specifications</a></li><li class="document-toc-item "><a class="document-toc-link" href="#browser_compatibility">Browser compatibility</a></li><li class="document-toc-item "><a class="document-toc-link" href="#see_also">See also</a></li></ul></section></div></nav></aside><section class="place side"></section></div></div><main id="content" class="main-content "><article class="main-page-content" lang="en-US"><header><h1>Subresource Integrity</h1></header><div class="section-content"><p><strong>Subresource Integrity</strong> (SRI) is a security feature that enables browsers to verify that resources they fetch (for example, from a <a href="/en-US/docs/Glossary/CDN">CDN</a>) are delivered without unexpected manipulation. It works by allowing you to provide a cryptographic hash that a fetched resource must match.</p> <div class="notecard note"> <p><strong>Note:</strong> For subresource-integrity verification of a resource served from an origin other than the document in which it's embedded, browsers additionally check the resource using <a href="/en-US/docs/Web/HTTP/CORS">Cross-Origin Resource Sharing (CORS)</a>, to ensure the origin serving the resource allows it to be shared with the requesting origin.</p> </div></div><section aria-labelledby="how_subresource_integrity_helps"><h2 id="how_subresource_integrity_helps"><a href="#how_subresource_integrity_helps">How Subresource Integrity helps</a></h2><div class="section-content"><p>Websites sometimes choose to rely on a third party such as a <a href="/en-US/docs/Glossary/CDN">Content Delivery Network (CDN)</a> to host some of their resources, rather than self-host all their resources. For example, a document served from <code>https://example.com</code> might include a resource from another location:</p> <div class="code-example"><div class="example-header"><span class="language-name">html</span></div><pre class="brush: html notranslate"><code>&lt;script src="https://not-example.com/script.js"&gt;&lt;/script&gt; </code></pre></div> <p>This comes with a risk, in that if an attacker gains control of the third-party host, the attacker can inject arbitrary malicious content into its files (or replace the files completely) and thus can also potentially attack sites that fetch files from it.</p> <p>Subresource Integrity enables you to mitigate some risks of attacks such as this, by ensuring that the files your web application or web document fetches have been delivered without an attacker having injected any additional content into those files — and without any other changes of any kind at all having been made to those files.</p></div></section><section aria-labelledby="using_subresource_integrity"><h2 id="using_subresource_integrity"><a href="#using_subresource_integrity">Using Subresource Integrity</a></h2><div class="section-content"><p>You use the Subresource Integrity feature by specifying a base64-encoded cryptographic hash of a resource (file) you're telling the browser to fetch, in the value of the <code>integrity</code> attribute of a <a href="/en-US/docs/Web/HTML/Element/script"><code>&lt;script&gt;</code></a> element or a <a href="/en-US/docs/Web/HTML/Element/link"><code>&lt;link&gt;</code></a> element with <a href="/en-US/docs/Web/HTML/Attributes/rel#stylesheet"><code>rel="stylesheet"</code></a>, <a href="/en-US/docs/Web/HTML/Attributes/rel/preload"><code>rel="preload"</code></a>, or <a href="/en-US/docs/Web/HTML/Attributes/rel/modulepreload"><code>rel="modulepreload"</code></a>.</p> <p>An <code>integrity</code> value begins with at least one string, with each string including a prefix indicating a particular hash algorithm (currently the allowed prefixes are <code>sha256</code>, <code>sha384</code>, and <code>sha512</code>), followed by a dash, and ending with the actual base64-encoded hash.</p> <div class="notecard note"> <p><strong>Note:</strong> An <strong>integrity</strong> value may contain multiple hashes separated by whitespace. A resource will be loaded if it matches one of those hashes.</p> </div> <p>Example <code>integrity</code> string with base64-encoded sha384 hash:</p> <pre class="brush: plain notranslate">sha384-oqVuAfXRKap7fdgcCY5uykM6+R9GqQ8K/uxy9rx7HNQlGYl1kPzQho1wx4JwY8wC </pre> <p>So <code>oqVuAfXRKap7fdgcCY5uykM6+R9GqQ8K/uxy9rx7HNQlGYl1kPzQho1wx4JwY8wC</code> is the "hash" part, and the prefix <code>sha384</code> indicates that it's a sha384 hash.</p> <div class="notecard note"> <p><strong>Note:</strong> An <code>integrity</code> value's "hash" part is, strictly speaking, a <strong><em>cryptographic</em> <em>digest</em></strong> formed by applying a particular hash function to some input (for example, a script or stylesheet file). But it's common to use the shorthand "hash" to mean <em>cryptographic</em> <em>digest</em>, so that's what's used in this article.</p> </div></div></section><section aria-labelledby="tools_for_generating_sri_hashes"><h3 id="tools_for_generating_sri_hashes"><a href="#tools_for_generating_sri_hashes">Tools for generating SRI hashes</a></h3><div class="section-content"><h4 id="sri_hash_generator">SRI Hash Generator</h4> <p>The <a href="https://www.srihash.org/" class="external" target="_blank">SRI Hash Generator</a> is an online tool you can use to generate SRI hashes.</p> <h4 id="using_openssl">Using OpenSSL</h4> <p>You can generate SRI hashes from the command-line using <strong>OpenSSL</strong> with a command invocation such as:</p> <div class="code-example"><div class="example-header"><span class="language-name">bash</span></div><pre class="brush: bash notranslate"><code>cat FILENAME.js | openssl dgst -sha384 -binary | openssl base64 -A </code></pre></div> <p>In a Windows environment, you can create a tool for generating SRI hashes with the following code:</p> <div class="code-example"><div class="example-header"><span class="language-name">batch</span></div><pre class="brush: batch notranslate"><code>@echo off set bits=384 openssl dgst -sha%bits% -binary %1% | openssl base64 -A &gt; tmp set /p a= &lt; tmp del tmp echo sha%bits%-%a% pause </code></pre></div> <p>To use that code:</p> <ol> <li>Save that code in a file named <code>sri-hash.bat</code> in the Windows SendTo folder in your environment (for example, <code>C:\Users\USER\AppData\Roaming\Microsoft\Windows\SendTo</code>).</li> <li>Right-click a file in the File Explorer, select <strong>Send to…</strong>, and then select <code>sri-hash</code>. You will see the integrity value in a command box.</li> <li>Select the integrity value and right-click to copy it to the Clipboard.</li> <li>Press any key to dismiss the command box.</li> </ol> <div class="notecard note"> <p><strong>Note:</strong> If OpenSSL is not installed on your system, visit the <a href="https://www.openssl.org/" class="external" target="_blank">OpenSSL project website</a> for information about downloading and installing it. The OpenSSL project does not itself host binary distributions of OpenSSL, but does maintain an informal list of third-party distributions: <a href="https://wiki.openssl.org/index.php/Binaries" class="external" target="_blank">https://wiki.openssl.org/index.php/Binaries</a>.</p> </div> <h4 id="using_shasum">Using shasum</h4> <p>You can generate SRI hashes using <a href="https://linux.die.net/man/1/shasum" class="external" target="_blank"><strong>shasum</strong></a> with a command invocation such as:</p> <div class="code-example"><div class="example-header"><span class="language-name">bash</span></div><pre class="brush: bash notranslate"><code>shasum -b -a 384 FILENAME.js | awk '{ print $1 }' | xxd -r -p | base64 </code></pre></div> <ul> <li>The pipe-through <code>xxd</code> step takes the hexadecimal output from <code>shasum</code> and converts it to binary.</li> <li>The pipe-through <code>awk</code> step is necessary because <code>shasum</code> will pass the hashed filename in its output to <code>xxd</code>. That can have disastrous consequences if the filename happens to have valid hex characters in it — because <code>xxd</code> will also decode that and pass it to <code>base64</code>.</li> </ul></div></section><section aria-labelledby="cross-origin_resource_sharing_and_subresource_integrity"><h3 id="cross-origin_resource_sharing_and_subresource_integrity"><a href="#cross-origin_resource_sharing_and_subresource_integrity">Cross-Origin Resource Sharing and Subresource Integrity</a></h3><div class="section-content"><p>For subresource-integrity verification of a resource served from an origin other than the document in which it's embedded, browsers additionally check the resource using <a href="/en-US/docs/Web/HTTP/CORS">Cross-Origin Resource Sharing (CORS)</a>, to ensure the origin serving the resource allows it to be shared with the requesting origin. Therefore, the resource must be served with an <a href="/en-US/docs/Web/HTTP/Headers/Access-Control-Allow-Origin"><code>Access-Control-Allow-Origin</code></a> header that allows the resource to be shared with the requesting origin; for example:</p> <div class="code-example"><div class="example-header"><span class="language-name">http</span></div><pre class="brush: http notranslate"><code>Access-Control-Allow-Origin: * </code></pre></div></div></section><section aria-labelledby="examples"><h2 id="examples"><a href="#examples">Examples</a></h2><div class="section-content"><p>In the following examples, assume that <code>oqVuAfXRKap7fdgcCY5uykM6+R9GqQ8K/uxy9rx7HNQlGYl1kPzQho1wx4JwY8wC</code> is already known to be the expected SHA-384 hash (digest) of a particular script <code>example-framework.js</code>, and there's a copy of the script hosted at <code>https://example.com/example-framework.js</code>.</p></div></section><section aria-labelledby="subresource_integrity_with_the_script_element"><h3 id="subresource_integrity_with_the_script_element"><a href="#subresource_integrity_with_the_script_element">Subresource Integrity with the &lt;script&gt; element</a></h3><div class="section-content"><p>You can use the following <a href="/en-US/docs/Web/HTML/Element/script"><code>&lt;script&gt;</code></a> element to tell a browser that before executing the <code>https://example.com/example-framework.js</code> script, the browser must first compare the script to the expected hash, and verify that there's a match.</p> <div class="code-example"><div class="example-header"><span class="language-name">html</span></div><pre class="brush: html notranslate"><code>&lt;script src="https://example.com/example-framework.js" integrity="sha384-oqVuAfXRKap7fdgcCY5uykM6+R9GqQ8K/uxy9rx7HNQlGYl1kPzQho1wx4JwY8wC" crossorigin="anonymous"&gt;&lt;/script&gt; </code></pre></div> <div class="notecard note"> <p><strong>Note:</strong> For more details on the purpose of the <code>crossorigin</code> attribute, see <a href="/en-US/docs/Web/HTML/Attributes/crossorigin">CORS settings attributes</a>.</p> </div></div></section><section aria-labelledby="how_browsers_handle_subresource_integrity"><h2 id="how_browsers_handle_subresource_integrity"><a href="#how_browsers_handle_subresource_integrity">How browsers handle Subresource Integrity</a></h2><div class="section-content"><p>Browsers handle SRI by doing the following:</p> <ol> <li> <p>When a browser encounters a <a href="/en-US/docs/Web/HTML/Element/script"><code>&lt;script&gt;</code></a> or <a href="/en-US/docs/Web/HTML/Element/link"><code>&lt;link&gt;</code></a> element with an <code>integrity</code> attribute, before executing the script or before applying any stylesheet specified by the <a href="/en-US/docs/Web/HTML/Element/link"><code>&lt;link&gt;</code></a> element, the browser must first compare the script or stylesheet to the expected hash given in the <code>integrity</code> value.</p> <p>For subresource-integrity verification of a resource served from an origin other than the document in which it's embedded, browsers additionally check the resource using <a href="/en-US/docs/Web/HTTP/CORS">Cross-Origin Resource Sharing (CORS)</a>, to ensure the origin serving the resource allows it to be shared with the requesting origin.</p> </li> <li> <p>If the script or stylesheet doesn't match its associated <code>integrity</code> value, the browser must refuse to execute the script or apply the stylesheet, and must instead return a network error indicating that fetching of that script or stylesheet failed.</p> </li> </ol></div></section><h2 id="specifications"><a href="#specifications">Specifications</a></h2><table class="standard-table"><thead><tr><th scope="col">Specification</th></tr></thead><tbody><tr><td><a href="https://html.spec.whatwg.org/multipage/semantics.html#attr-link-integrity">HTML Standard<!-- --> <br/><small># <!-- -->attr-link-integrity</small></a></td></tr><tr><td><a href="https://w3c.github.io/webappsec-subresource-integrity/#the-integrity-attribute">Subresource Integrity<!-- --> <br/><small># <!-- -->the-integrity-attribute</small></a></td></tr><tr><td><a href="https://html.spec.whatwg.org/multipage/scripting.html#attr-script-integrity">HTML Standard<!-- --> <br/><small># <!-- -->attr-script-integrity</small></a></td></tr></tbody></table><section aria-labelledby="browser_compatibility"><h2 id="browser_compatibility"><a href="#browser_compatibility">Browser compatibility</a></h2><div class="section-content"></div></section><h3 id="html.elements.link.integrity"><a href="#html.elements.link.integrity">html.elements.link.integrity</a></h3><p>BCD tables only load in the browser<noscript> <!-- -->with JavaScript enabled. Enable JavaScript to view data.</noscript></p><h3 id="html.elements.script.integrity"><a href="#html.elements.script.integrity">html.elements.script.integrity</a></h3><p>BCD tables only load in the browser<noscript> <!-- -->with JavaScript enabled. Enable JavaScript to view data.</noscript></p><section aria-labelledby="see_also"><h2 id="see_also"><a href="#see_also">See also</a></h2><div class="section-content"><ul> <li><a href="/en-US/docs/Web/HTTP/CSP">Content Security Policy</a></li> <li>The <a href="/en-US/docs/Web/HTTP/Headers/Content-Security-Policy"><code>Content-Security-Policy</code></a> HTTP header.</li> <li><a href="https://frederikbraun.de/using-subresource-integrity.html" class="external" target="_blank">A CDN that can not XSS you: Using Subresource Integrity</a></li> <li><a href="https://www.srihash.org/" class="external" target="_blank">SRI Hash Generator</a></li> </ul></div></section></article><aside class="article-footer"><div class="article-footer-inner"><div class="svg-container"><svg xmlns="http://www.w3.org/2000/svg" width="162" height="162" viewBox="0 0 162 162" fill="none" role="none"><mask id="b" fill="#fff"><path d="M97.203 47.04c8.113-7.886 18.004-13.871 28.906-17.492a78 78 0 0 1 33.969-3.39c11.443 1.39 22.401 5.295 32.024 11.411s17.656 14.28 23.476 23.86c5.819 9.579 9.269 20.318 10.083 31.385a69.85 69.85 0 0 1-5.387 32.44c-4.358 10.272-11.115 19.443-19.747 26.801-8.632 7.359-18.908 12.709-30.034 15.637l-6.17-21.698c7.666-2.017 14.746-5.703 20.694-10.773 5.948-5.071 10.603-11.389 13.606-18.467a48.14 48.14 0 0 0 3.712-22.352c-.561-7.625-2.938-15.025-6.948-21.625s-9.544-12.226-16.175-16.44-14.181-6.904-22.065-7.863a53.75 53.75 0 0 0-23.405 2.336c-7.513 2.495-14.327 6.62-19.918 12.053z"></path></mask><path stroke="url(#a)" stroke-dasharray="6, 6" stroke-width="2" d="M97.203 47.04c8.113-7.886 18.004-13.871 28.906-17.492a78 78 0 0 1 33.969-3.39c11.443 1.39 22.401 5.295 32.024 11.411s17.656 14.28 23.476 23.86c5.819 9.579 9.269 20.318 10.083 31.385a69.85 69.85 0 0 1-5.387 32.44c-4.358 10.272-11.115 19.443-19.747 26.801-8.632 7.359-18.908 12.709-30.034 15.637l-6.17-21.698c7.666-2.017 14.746-5.703 20.694-10.773 5.948-5.071 10.603-11.389 13.606-18.467a48.14 48.14 0 0 0 3.712-22.352c-.561-7.625-2.938-15.025-6.948-21.625s-9.544-12.226-16.175-16.44-14.181-6.904-22.065-7.863a53.75 53.75 0 0 0-23.405 2.336c-7.513 2.495-14.327 6.62-19.918 12.053z" mask="url(#b)" style="stroke:url(#a)" transform="translate(-63.992 -25.587)"></path><ellipse cx="8.066" cy="111.597" fill="var(--background-tertiary)" rx="53.677" ry="53.699" transform="matrix(.71707 -.697 .7243 .6895 0 0)"></ellipse><g clip-path="url(#c)" transform="translate(-63.992 -25.587)"><path fill="#9abff5" d="m144.256 137.379 32.906 12.434a4.41 4.41 0 0 1 2.559 5.667l-9.326 24.679a4.41 4.41 0 0 1-5.667 2.559l-8.226-3.108-2.332 6.17c-.466 1.233-.375 1.883-1.609 1.417l-2.253-.527c-.411-.155-.95-.594-1.206-1.161l-4.734-10.484-12.545-4.741a4.41 4.41 0 0 1-2.559-5.667l9.325-24.679a4.41 4.41 0 0 1 5.667-2.559m9.961 29.617 8.227 3.108 3.264-8.638-.498-6.768-4.113-1.555.548 7.258-4.319-1.632zm-12.339-4.663 8.226 3.108 3.264-8.637-.498-6.769-4.113-1.554.548 7.257-4.319-1.632z"></path></g><g clip-path="url(#d)" transform="translate(-63.992 -25.587)"><path fill="#81b0f3" d="M135.35 60.136 86.67 41.654c-3.346-1.27-7.124.428-8.394 3.775L64.414 81.938c-1.27 3.347.428 7.125 3.774 8.395l12.17 4.62-3.465 9.128c-.693 1.826-1.432 2.457.394 3.15l3.014 1.625c.609.231 1.637.274 2.477-.104l15.53-6.983 18.56 7.047c3.346 1.27 7.124-.428 8.395-3.775l13.862-36.51c1.27-3.346-.428-7.124-3.775-8.395M95.261 83.207l-12.17-4.62 4.852-12.779 7.19-7.017 6.085 2.31-7.725 7.51 6.389 2.426zm18.255 6.93-12.17-4.62 4.852-12.778 7.189-7.017 6.085 2.31-7.725 7.51 6.39 2.426z"></path></g><defs><clipPath id="c"><path fill="#fff" d="m198.638 146.586-65.056-24.583-24.583 65.057 65.056 24.582z"></path></clipPath><clipPath id="d"><path fill="#fff" d="m66.438 14.055 96.242 36.54-36.54 96.243-96.243-36.54z"></path></clipPath><linearGradient id="a" x1="97.203" x2="199.995" y1="47.04" y2="152.793" gradientUnits="userSpaceOnUse"><stop stop-color="#086DFC"></stop><stop offset="0.246" stop-color="#2C81FA"></stop><stop offset="0.516" stop-color="#5497F8"></stop><stop offset="0.821" stop-color="#80B0F6"></stop><stop offset="1" stop-color="#9ABFF5"></stop></linearGradient></defs></svg></div><h2>Help improve MDN</h2><fieldset class="feedback"><label>Was this page helpful to you?</label><div class="button-container"><button type="button" class="button primary has-icon yes"><span class="button-wrap"><span class="icon icon-thumbs-up "></span>Yes</span></button><button type="button" class="button primary has-icon no"><span class="button-wrap"><span class="icon icon-thumbs-down "></span>No</span></button></div></fieldset><a class="contribute" href="https://github.com/mdn/content/blob/main/CONTRIBUTING.md" title="This will take you to our contribution guidelines on GitHub." target="_blank" rel="noopener noreferrer">Learn how to contribute</a>.<p class="last-modified-date">This page was last modified on<!-- --> <time dateTime="2024-11-01T17:40:28.000Z">Nov 1, 2024</time> by<!-- --> <a href="/en-US/docs/Web/Security/Subresource_Integrity/contributors.txt" rel="nofollow">MDN contributors</a>.</p><div id="on-github" class="on-github"><a href="https://github.com/mdn/content/blob/main/files/en-us/web/security/subresource_integrity/index.md?plain=1" title="Folder: en-us/web/security/subresource_integrity (Opens in a new tab)" target="_blank" rel="noopener noreferrer">View this page on GitHub</a> <!-- -->•<!-- --> <a href="https://github.com/mdn/content/issues/new?template=page-report.yml&amp;mdn-url=https%3A%2F%2Fdeveloper.mozilla.org%2Fen-US%2Fdocs%2FWeb%2FSecurity%2FSubresource_Integrity&amp;metadata=%3C%21--+Do+not+make+changes+below+this+line+--%3E%0A%3Cdetails%3E%0A%3Csummary%3EPage+report+details%3C%2Fsummary%3E%0A%0A*+Folder%3A+%60en-us%2Fweb%2Fsecurity%2Fsubresource_integrity%60%0A*+MDN+URL%3A+https%3A%2F%2Fdeveloper.mozilla.org%2Fen-US%2Fdocs%2FWeb%2FSecurity%2FSubresource_Integrity%0A*+GitHub+URL%3A+https%3A%2F%2Fgithub.com%2Fmdn%2Fcontent%2Fblob%2Fmain%2Ffiles%2Fen-us%2Fweb%2Fsecurity%2Fsubresource_integrity%2Findex.md%0A*+Last+commit%3A+https%3A%2F%2Fgithub.com%2Fmdn%2Fcontent%2Fcommit%2F8df009472bbc7f0fc8a69717e1493de02982ed66%0A*+Document+last+modified%3A+2024-11-01T17%3A40%3A28.000Z%0A%0A%3C%2Fdetails%3E" title="This will take you to GitHub to file a new issue." target="_blank" rel="noopener noreferrer">Report a problem with this content</a></div></div></aside></main></div></div><footer id="nav-footer" class="page-footer"><div class="page-footer-grid"><div class="page-footer-logo-col"><a href="/" class="mdn-footer-logo" aria-label="MDN homepage"><svg width="48" height="17" viewBox="0 0 48 17" fill="none" xmlns="http://www.w3.org/2000/svg"><title id="mdn-footer-logo-svg">MDN logo</title><path d="M20.04 16.512H15.504V10.416C15.504 9.488 15.344 8.824 15.024 8.424C14.72 8.024 14.264 7.824 13.656 7.824C12.92 7.824 12.384 8.064 12.048 8.544C11.728 9.024 11.568 9.64 11.568 10.392V14.184H13.008V16.512H8.472V10.416C8.472 9.488 8.312 8.824 7.992 8.424C7.688 8.024 7.232 7.824 6.624 7.824C5.872 7.824 5.336 8.064 5.016 8.544C4.696 9.024 4.536 9.64 4.536 10.392V14.184H6.6V16.512H0V14.184H1.44V8.04H0.024V5.688H4.536V7.32C5.224 6.088 6.32 5.472 7.824 5.472C8.608 5.472 9.328 5.664 9.984 6.048C10.64 6.432 11.096 7.016 11.352 7.8C11.992 6.248 13.168 5.472 14.88 5.472C15.856 5.472 16.72 5.776 17.472 6.384C18.224 6.992 18.6 7.936 18.6 9.216V14.184H20.04V16.512Z" fill="currentColor"></path><path d="M33.6714 16.512H29.1354V14.496C28.8314 15.12 28.3834 15.656 27.7914 16.104C27.1994 16.536 26.4154 16.752 25.4394 16.752C24.0154 16.752 22.8954 16.264 22.0794 15.288C21.2634 14.312 20.8554 12.984 20.8554 11.304C20.8554 9.688 21.2554 8.312 22.0554 7.176C22.8554 6.04 24.0634 5.472 25.6794 5.472C26.5594 5.472 27.2794 5.648 27.8394 6C28.3994 6.352 28.8314 6.8 29.1354 7.344V2.352H26.9754V0H32.2314V14.184H33.6714V16.512ZM29.1354 11.04V10.776C29.1354 9.88 28.8954 9.184 28.4154 8.688C27.9514 8.176 27.3674 7.92 26.6634 7.92C25.9754 7.92 25.3674 8.176 24.8394 8.688C24.3274 9.2 24.0714 10.008 24.0714 11.112C24.0714 12.152 24.3114 12.944 24.7914 13.488C25.2714 14.032 25.8394 14.304 26.4954 14.304C27.3114 14.304 27.9514 13.96 28.4154 13.272C28.8954 12.584 29.1354 11.84 29.1354 11.04Z" fill="currentColor"></path><path d="M47.9589 16.512H41.9829V14.184H43.4229V10.416C43.4229 9.488 43.2629 8.824 42.9429 8.424C42.6389 8.024 42.1829 7.824 41.5749 7.824C40.8389 7.824 40.2709 8.056 39.8709 8.52C39.4709 8.968 39.2629 9.56 39.2469 10.296V14.184H40.6869V16.512H34.7109V14.184H36.1509V8.04H34.5909V5.688H39.2469V7.344C39.9669 6.096 41.1269 5.472 42.7269 5.472C43.7509 5.472 44.6389 5.776 45.3909 6.384C46.1429 6.992 46.5189 7.936 46.5189 9.216V14.184H47.9589V16.512Z" fill="currentColor"></path></svg></a><p>Your blueprint for a better internet.</p><ul class="social-icons"><li><a href="https://mozilla.social/@mdn" target="_blank" rel="me noopener noreferrer"><span class="icon icon-mastodon"></span><span class="visually-hidden">MDN on Mastodon</span></a></li><li><a href="https://twitter.com/mozdevnet" target="_blank" rel="noopener noreferrer"><span class="icon icon-twitter-x"></span><span class="visually-hidden">MDN on X (formerly Twitter)</span></a></li><li><a href="https://github.com/mdn/" target="_blank" rel="noopener noreferrer"><span class="icon icon-github-mark-small"></span><span class="visually-hidden">MDN on GitHub</span></a></li><li><a href="/en-US/blog/rss.xml" target="_blank"><span class="icon icon-feed"></span><span class="visually-hidden">MDN Blog RSS Feed</span></a></li></ul></div><div class="page-footer-nav-col-1"><h2 class="footer-nav-heading">MDN</h2><ul class="footer-nav-list"><li class="footer-nav-item"><a href="/en-US/about">About</a></li><li class="footer-nav-item"><a href="/en-US/blog/">Blog</a></li><li class="footer-nav-item"><a href="https://www.mozilla.org/en-US/careers/listings/?team=ProdOps" target="_blank" rel="noopener noreferrer">Careers</a></li><li class="footer-nav-item"><a href="/en-US/advertising">Advertise with us</a></li></ul></div><div class="page-footer-nav-col-2"><h2 class="footer-nav-heading">Support</h2><ul class="footer-nav-list"><li class="footer-nav-item"><a class="footer-nav-link" href="https://support.mozilla.org/products/mdn-plus">Product help</a></li><li class="footer-nav-item"><a class="footer-nav-link" href="/en-US/docs/MDN/Community/Issues">Report an issue</a></li></ul></div><div class="page-footer-nav-col-3"><h2 class="footer-nav-heading">Our communities</h2><ul class="footer-nav-list"><li class="footer-nav-item"><a class="footer-nav-link" href="/en-US/community">MDN Community</a></li><li class="footer-nav-item"><a class="footer-nav-link" href="https://discourse.mozilla.org/c/mdn/236" target="_blank" rel="noopener noreferrer">MDN Forum</a></li><li class="footer-nav-item"><a class="footer-nav-link" href="/discord" target="_blank" rel="noopener noreferrer">MDN Chat</a></li></ul></div><div class="page-footer-nav-col-4"><h2 class="footer-nav-heading">Developers</h2><ul class="footer-nav-list"><li class="footer-nav-item"><a class="footer-nav-link" href="/en-US/docs/Web">Web Technologies</a></li><li class="footer-nav-item"><a class="footer-nav-link" href="/en-US/docs/Learn">Learn Web Development</a></li><li class="footer-nav-item"><a class="footer-nav-link" href="/en-US/plus">MDN Plus</a></li><li class="footer-nav-item"><a href="https://hacks.mozilla.org/" target="_blank" rel="noopener noreferrer">Hacks Blog</a></li></ul></div><div class="page-footer-moz"><a href="https://www.mozilla.org/" class="footer-moz-logo-link" target="_blank" rel="noopener noreferrer"><svg width="112" height="32" fill="none" xmlns="http://www.w3.org/2000/svg"><title id="mozilla-footer-logo-svg">Mozilla logo</title><path d="M41.753 14.218c-2.048 0-3.324 1.522-3.324 4.157 0 2.423 1.119 4.286 3.29 4.286 2.082 0 3.447-1.678 3.447-4.347 0-2.826-1.522-4.096-3.413-4.096Zm54.89 7.044c0 .901.437 1.618 1.645 1.618 1.427 0 2.949-1.024 3.044-3.352-.649-.095-1.365-.185-2.02-.185-1.426-.005-2.668.397-2.668 1.92Z" fill="currentColor"></path><path d="M0 0v32h111.908V0H0Zm32.56 25.426h-5.87v-7.884c0-2.423-.806-3.352-2.39-3.352-1.924 0-2.702 1.365-2.702 3.324v4.868h1.864v3.044h-5.864v-7.884c0-2.423-.806-3.352-2.39-3.352-1.924 0-2.702 1.365-2.702 3.324v4.868h2.669v3.044H6.642v-3.044h1.863v-7.918H6.642V11.42h5.864v2.11c.839-1.489 2.3-2.39 4.252-2.39 2.02 0 3.878.963 4.566 3.01.778-1.862 2.361-3.01 4.566-3.01 2.512 0 4.812 1.522 4.812 4.84v6.402h1.863v3.044h-.005Zm9.036.307c-4.314 0-7.296-2.635-7.296-7.106 0-4.096 2.484-7.481 7.514-7.481s7.481 3.38 7.481 7.29c0 4.472-3.228 7.297-7.699 7.297Zm22.578-.307H51.942l-.403-2.11 7.7-8.846h-4.376l-.621 2.17-2.888-.313.498-4.907h12.294l.313 2.11-7.767 8.852h4.533l.654-2.172 3.167.308-.872 4.908Zm7.99 0h-4.191v-5.03h4.19v5.03Zm0-8.976h-4.191v-5.03h4.19v5.03Zm2.618 8.976 6.054-21.358h3.945l-6.054 21.358h-3.945Zm8.136 0 6.048-21.358h3.945l-6.054 21.358h-3.939Zm21.486.307c-1.863 0-2.887-1.085-3.072-2.792-.805 1.427-2.232 2.792-4.498 2.792-2.02 0-4.314-1.085-4.314-4.006 0-3.447 3.323-4.253 6.518-4.253.778 0 1.584.034 2.3.124v-.465c0-1.427-.034-3.133-2.3-3.133-.84 0-1.488.061-2.143.402l-.453 1.578-3.195-.34.549-3.224c2.45-.996 3.692-1.27 5.992-1.27 3.01 0 5.556 1.55 5.556 4.75v6.083c0 .805.314 1.085.963 1.085.184 0 .375-.034.587-.095l.034 2.11a5.432 5.432 0 0 1-2.524.654Z" fill="currentColor"></path></svg></a><ul class="footer-moz-list"><li class="footer-moz-item"><a href="https://www.mozilla.org/privacy/websites/" class="footer-moz-link" target="_blank" rel="noopener noreferrer">Website Privacy Notice</a></li><li class="footer-moz-item"><a href="https://www.mozilla.org/privacy/websites/#cookies" class="footer-moz-link" target="_blank" rel="noopener noreferrer">Cookies</a></li><li class="footer-moz-item"><a href="https://www.mozilla.org/about/legal/terms/mozilla" class="footer-moz-link" target="_blank" rel="noopener noreferrer">Legal</a></li><li class="footer-moz-item"><a href="https://www.mozilla.org/about/governance/policies/participation/" class="footer-moz-link" target="_blank" rel="noopener noreferrer">Community Participation Guidelines</a></li></ul></div><div class="page-footer-legal"><p id="license" class="page-footer-legal-text">Visit<!-- --> <a href="https://www.mozilla.org" target="_blank" rel="noopener noreferrer">Mozilla Corporation’s</a> <!-- -->not-for-profit parent, the<!-- --> <a target="_blank" rel="noopener noreferrer" href="https://foundation.mozilla.org/">Mozilla Foundation</a>.<br/>Portions of this content are ©1998–<!-- -->2024<!-- --> by individual mozilla.org contributors. Content available under<!-- --> <a href="/en-US/docs/MDN/Writing_guidelines/Attrib_copyright_license">a Creative Commons license</a>.</p></div></div></footer></div><script type="application/json" id="hydration">{"url":"/en-US/docs/Web/Security/Subresource_Integrity","doc":{"isMarkdown":true,"isTranslated":false,"isActive":true,"flaws":{},"title":"Subresource Integrity","mdn_url":"/en-US/docs/Web/Security/Subresource_Integrity","locale":"en-US","native":"English (US)","browserCompat":["html.elements.link.integrity","html.elements.script.integrity"],"sidebarHTML":"\n<ol><li><a href=\"/en-US/docs/Web/Security/Certificate_Transparency\">Certificate Transparency</a></li><li><a href=\"/en-US/docs/Web/Security/User_activation\">Features gated by user activation</a></li><li><a href=\"/en-US/docs/Web/Security/Firefox_Security_Guidelines\">Firefox security guidelines</a></li><li><a href=\"/en-US/docs/Web/Security/IFrame_credentialless\">IFrame credentialless</a></li><li><a href=\"/en-US/docs/Web/Security/Insecure_passwords\">Insecure passwords</a></li><li><a href=\"/en-US/docs/Web/Security/Mixed_content\">Mixed content</a></li><li><a href=\"/en-US/docs/Web/Security/Practical_implementation_guides\">Practical security implementation guides</a><ol><li><a href=\"/en-US/docs/Web/Security/Practical_implementation_guides\">Practical security implementation guides</a></li><li><a href=\"/en-US/docs/Web/Security/Practical_implementation_guides/Clickjacking\">Clickjacking prevention</a></li><li><a href=\"/en-US/docs/Web/Security/Practical_implementation_guides/Cookies\">Secure cookie configuration</a></li><li><a href=\"/en-US/docs/Web/Security/Practical_implementation_guides/CORP\">Cross-Origin Resource Policy (CORP) implementation</a></li><li><a href=\"/en-US/docs/Web/Security/Practical_implementation_guides/CORS\">Cross-Origin Resource Sharing (CORS) configuration</a></li><li><a href=\"/en-US/docs/Web/Security/Practical_implementation_guides/CSP\">Content Security Policy (CSP) implementation</a></li><li><a href=\"/en-US/docs/Web/Security/Practical_implementation_guides/CSRF_prevention\">Cross-site request forgery (CSRF) prevention</a></li><li><a href=\"/en-US/docs/Web/Security/Practical_implementation_guides/MIME_types\">MIME type verification</a></li><li><a href=\"/en-US/docs/Web/Security/Practical_implementation_guides/Referrer_policy\">Referrer policy configuration</a></li><li><a href=\"/en-US/docs/Web/Security/Practical_implementation_guides/Robots_txt\">robots.txt configuration</a></li><li><a href=\"/en-US/docs/Web/Security/Practical_implementation_guides/SRI\">Subresource integrity (SRI) implementation</a></li><li><a href=\"/en-US/docs/Web/Security/Practical_implementation_guides/TLS\">Transport Layer Security (TLS) configuration</a></li><li><a href=\"/en-US/docs/Web/Security/Practical_implementation_guides/Turning_off_form_autocompletion\">How to turn off form autocompletion</a></li></ol></li><li><a href=\"/en-US/docs/Web/Security/Referer_header:_privacy_and_security_concerns\">Referer header: Privacy and security concerns</a></li><li><a href=\"/en-US/docs/Web/Security/Same-origin_policy\">Same-origin policy</a></li><li><a href=\"/en-US/docs/Web/Security/Secure_Contexts\">Secure contexts</a><ol><li><a href=\"/en-US/docs/Web/Security/Secure_Contexts\">Secure contexts</a></li><li><a href=\"/en-US/docs/Web/Security/Secure_Contexts/features_restricted_to_secure_contexts\">Features restricted to secure contexts</a></li></ol></li><li><a href=\"/en-US/docs/Web/Security/Subdomain_takeovers\">Subdomain takeovers</a></li><li><em><a href=\"/en-US/docs/Web/Security/Subresource_Integrity\" aria-current=\"page\">Subresource Integrity</a></em></li><li><a href=\"/en-US/docs/Web/Security/Transport_Layer_Security\">Transport Layer Security</a></li><li><a href=\"/en-US/docs/Web/Security/Types_of_attacks\">Types of attacks</a></li><li><a href=\"/en-US/docs/Web/Security/Weak_Signature_Algorithm\">Weak signature algorithms</a></li></ol>\n","sidebarMacro":"QuickLinksWithSubpages","body":[{"type":"prose","value":{"id":null,"title":null,"isH3":false,"content":"<p><strong>Subresource Integrity</strong> (SRI) is a security feature that enables browsers to verify that resources they fetch (for example, from a <a href=\"/en-US/docs/Glossary/CDN\">CDN</a>) are delivered without unexpected manipulation. It works by allowing you to provide a cryptographic hash that a fetched resource must match.</p>\n<div class=\"notecard note\">\n <p><strong>Note:</strong> For subresource-integrity verification of a resource served from an origin other than the document in which it's embedded, browsers additionally check the resource using <a href=\"/en-US/docs/Web/HTTP/CORS\">Cross-Origin Resource Sharing (CORS)</a>, to ensure the origin serving the resource allows it to be shared with the requesting origin.</p>\n</div>"}},{"type":"prose","value":{"id":"how_subresource_integrity_helps","title":"How Subresource Integrity helps","isH3":false,"content":"<p>Websites sometimes choose to rely on a third party such as a <a href=\"/en-US/docs/Glossary/CDN\">Content Delivery Network (CDN)</a> to host some of their resources, rather than self-host all their resources. For example, a document served from <code>https://example.com</code> might include a resource from another location:</p>\n<div class=\"code-example\"><div class=\"example-header\"><span class=\"language-name\">html</span></div><pre class=\"brush: html notranslate\"><code>&lt;script src=\"https://not-example.com/script.js\"&gt;&lt;/script&gt;\n</code></pre></div>\n<p>This comes with a risk, in that if an attacker gains control of the third-party host, the attacker can inject arbitrary malicious content into its files (or replace the files completely) and thus can also potentially attack sites that fetch files from it.</p>\n<p>Subresource Integrity enables you to mitigate some risks of attacks such as this, by ensuring that the files your web application or web document fetches have been delivered without an attacker having injected any additional content into those files — and without any other changes of any kind at all having been made to those files.</p>"}},{"type":"prose","value":{"id":"using_subresource_integrity","title":"Using Subresource Integrity","isH3":false,"content":"<p>You use the Subresource Integrity feature by specifying a base64-encoded cryptographic hash of a resource (file) you're telling the browser to fetch, in the value of the <code>integrity</code> attribute of a <a href=\"/en-US/docs/Web/HTML/Element/script\"><code>&lt;script&gt;</code></a> element or a <a href=\"/en-US/docs/Web/HTML/Element/link\"><code>&lt;link&gt;</code></a> element with <a href=\"/en-US/docs/Web/HTML/Attributes/rel#stylesheet\"><code>rel=\"stylesheet\"</code></a>, <a href=\"/en-US/docs/Web/HTML/Attributes/rel/preload\"><code>rel=\"preload\"</code></a>, or <a href=\"/en-US/docs/Web/HTML/Attributes/rel/modulepreload\"><code>rel=\"modulepreload\"</code></a>.</p>\n<p>An <code>integrity</code> value begins with at least one string, with each string including a prefix indicating a particular hash algorithm (currently the allowed prefixes are <code>sha256</code>, <code>sha384</code>, and <code>sha512</code>), followed by a dash, and ending with the actual base64-encoded hash.</p>\n<div class=\"notecard note\">\n <p><strong>Note:</strong> An <strong>integrity</strong> value may contain multiple hashes separated by whitespace. A resource will be loaded if it matches one of those hashes.</p>\n</div>\n<p>Example <code>integrity</code> string with base64-encoded sha384 hash:</p>\n<pre class=\"brush: plain notranslate\">sha384-oqVuAfXRKap7fdgcCY5uykM6+R9GqQ8K/uxy9rx7HNQlGYl1kPzQho1wx4JwY8wC\n</pre>\n<p>So <code>oqVuAfXRKap7fdgcCY5uykM6+R9GqQ8K/uxy9rx7HNQlGYl1kPzQho1wx4JwY8wC</code> is the \"hash\" part, and the prefix <code>sha384</code> indicates that it's a sha384 hash.</p>\n<div class=\"notecard note\">\n <p><strong>Note:</strong> An <code>integrity</code> value's \"hash\" part is, strictly speaking, a <strong><em>cryptographic</em> <em>digest</em></strong> formed by applying a particular hash function to some input (for example, a script or stylesheet file). But it's common to use the shorthand \"hash\" to mean <em>cryptographic</em> <em>digest</em>, so that's what's used in this article.</p>\n</div>"}},{"type":"prose","value":{"id":"tools_for_generating_sri_hashes","title":"Tools for generating SRI hashes","isH3":true,"content":"<h4 id=\"sri_hash_generator\">SRI Hash Generator</h4>\n<p>The <a href=\"https://www.srihash.org/\" class=\"external\" target=\"_blank\">SRI Hash Generator</a> is an online tool you can use to generate SRI hashes.</p>\n<h4 id=\"using_openssl\">Using OpenSSL</h4>\n<p>You can generate SRI hashes from the command-line using <strong>OpenSSL</strong> with a command invocation such as:</p>\n<div class=\"code-example\"><div class=\"example-header\"><span class=\"language-name\">bash</span></div><pre class=\"brush: bash notranslate\"><code>cat FILENAME.js | openssl dgst -sha384 -binary | openssl base64 -A\n</code></pre></div>\n<p>In a Windows environment, you can create a tool for generating SRI hashes with the following code:</p>\n<div class=\"code-example\"><div class=\"example-header\"><span class=\"language-name\">batch</span></div><pre class=\"brush: batch notranslate\"><code>@echo off\nset bits=384\nopenssl dgst -sha%bits% -binary %1% | openssl base64 -A &gt; tmp\nset /p a= &lt; tmp\ndel tmp\necho sha%bits%-%a%\npause\n</code></pre></div>\n<p>To use that code:</p>\n<ol>\n <li>Save that code in a file named <code>sri-hash.bat</code> in the Windows SendTo folder in your environment (for example, <code>C:\\Users\\USER\\AppData\\Roaming\\Microsoft\\Windows\\SendTo</code>).</li>\n <li>Right-click a file in the File Explorer, select <strong>Send to…</strong>, and then select <code>sri-hash</code>. You will see the integrity value in a command box.</li>\n <li>Select the integrity value and right-click to copy it to the Clipboard.</li>\n <li>Press any key to dismiss the command box.</li>\n</ol>\n<div class=\"notecard note\">\n <p><strong>Note:</strong> If OpenSSL is not installed on your system, visit the <a href=\"https://www.openssl.org/\" class=\"external\" target=\"_blank\">OpenSSL project website</a> for information about downloading and installing it. The OpenSSL project does not itself host binary distributions of OpenSSL, but does maintain an informal list of third-party distributions: <a href=\"https://wiki.openssl.org/index.php/Binaries\" class=\"external\" target=\"_blank\">https://wiki.openssl.org/index.php/Binaries</a>.</p>\n</div>\n<h4 id=\"using_shasum\">Using shasum</h4>\n<p>You can generate SRI hashes using <a href=\"https://linux.die.net/man/1/shasum\" class=\"external\" target=\"_blank\"><strong>shasum</strong></a> with a command invocation such as:</p>\n<div class=\"code-example\"><div class=\"example-header\"><span class=\"language-name\">bash</span></div><pre class=\"brush: bash notranslate\"><code>shasum -b -a 384 FILENAME.js | awk '{ print $1 }' | xxd -r -p | base64\n</code></pre></div>\n<ul>\n <li>The pipe-through <code>xxd</code> step takes the hexadecimal output from <code>shasum</code> and converts it to binary.</li>\n <li>The pipe-through <code>awk</code> step is necessary because <code>shasum</code> will pass the hashed filename in its output to <code>xxd</code>. That can have disastrous consequences if the filename happens to have valid hex characters in it — because <code>xxd</code> will also decode that and pass it to <code>base64</code>.</li>\n</ul>"}},{"type":"prose","value":{"id":"cross-origin_resource_sharing_and_subresource_integrity","title":"Cross-Origin Resource Sharing and Subresource Integrity","isH3":true,"content":"<p>For subresource-integrity verification of a resource served from an origin other than the document in which it's embedded, browsers additionally check the resource using <a href=\"/en-US/docs/Web/HTTP/CORS\">Cross-Origin Resource Sharing (CORS)</a>, to ensure the origin serving the resource allows it to be shared with the requesting origin. Therefore, the resource must be served with an <a href=\"/en-US/docs/Web/HTTP/Headers/Access-Control-Allow-Origin\"><code>Access-Control-Allow-Origin</code></a> header that allows the resource to be shared with the requesting origin; for example:</p>\n<div class=\"code-example\"><div class=\"example-header\"><span class=\"language-name\">http</span></div><pre class=\"brush: http notranslate\"><code>Access-Control-Allow-Origin: *\n</code></pre></div>"}},{"type":"prose","value":{"id":"examples","title":"Examples","isH3":false,"content":"<p>In the following examples, assume that <code>oqVuAfXRKap7fdgcCY5uykM6+R9GqQ8K/uxy9rx7HNQlGYl1kPzQho1wx4JwY8wC</code> is already known to be the expected SHA-384 hash (digest) of a particular script <code>example-framework.js</code>, and there's a copy of the script hosted at <code>https://example.com/example-framework.js</code>.</p>"}},{"type":"prose","value":{"id":"subresource_integrity_with_the_script_element","title":"Subresource Integrity with the &lt;script&gt; element","isH3":true,"content":"<p>You can use the following <a href=\"/en-US/docs/Web/HTML/Element/script\"><code>&lt;script&gt;</code></a> element to tell a browser that before executing the <code>https://example.com/example-framework.js</code> script, the browser must first compare the script to the expected hash, and verify that there's a match.</p>\n<div class=\"code-example\"><div class=\"example-header\"><span class=\"language-name\">html</span></div><pre class=\"brush: html notranslate\"><code>&lt;script\n src=\"https://example.com/example-framework.js\"\n integrity=\"sha384-oqVuAfXRKap7fdgcCY5uykM6+R9GqQ8K/uxy9rx7HNQlGYl1kPzQho1wx4JwY8wC\"\n crossorigin=\"anonymous\"&gt;&lt;/script&gt;\n</code></pre></div>\n<div class=\"notecard note\">\n <p><strong>Note:</strong> For more details on the purpose of the <code>crossorigin</code> attribute, see <a href=\"/en-US/docs/Web/HTML/Attributes/crossorigin\">CORS settings attributes</a>.</p>\n</div>"}},{"type":"prose","value":{"id":"how_browsers_handle_subresource_integrity","title":"How browsers handle Subresource Integrity","isH3":false,"content":"<p>Browsers handle SRI by doing the following:</p>\n<ol>\n <li>\n <p>When a browser encounters a <a href=\"/en-US/docs/Web/HTML/Element/script\"><code>&lt;script&gt;</code></a> or <a href=\"/en-US/docs/Web/HTML/Element/link\"><code>&lt;link&gt;</code></a> element with an <code>integrity</code> attribute, before executing the script or before applying any stylesheet specified by the <a href=\"/en-US/docs/Web/HTML/Element/link\"><code>&lt;link&gt;</code></a> element, the browser must first compare the script or stylesheet to the expected hash given in the <code>integrity</code> value.</p>\n <p>For subresource-integrity verification of a resource served from an origin other than the document in which it's embedded, browsers additionally check the resource using <a href=\"/en-US/docs/Web/HTTP/CORS\">Cross-Origin Resource Sharing (CORS)</a>, to ensure the origin serving the resource allows it to be shared with the requesting origin.</p>\n </li>\n <li>\n <p>If the script or stylesheet doesn't match its associated <code>integrity</code> value, the browser must refuse to execute the script or apply the stylesheet, and must instead return a network error indicating that fetching of that script or stylesheet failed.</p>\n </li>\n</ol>"}},{"type":"specifications","value":{"title":"Specifications","id":"specifications","isH3":false,"specifications":[{"bcdSpecificationURL":"https://html.spec.whatwg.org/multipage/semantics.html#attr-link-integrity","title":"HTML Standard"},{"bcdSpecificationURL":"https://w3c.github.io/webappsec-subresource-integrity/#the-integrity-attribute","title":"Subresource Integrity"},{"bcdSpecificationURL":"https://html.spec.whatwg.org/multipage/scripting.html#attr-script-integrity","title":"HTML Standard"}],"query":"html.elements.link.integrity,html.elements.script.integrity"}},{"type":"prose","value":{"id":"browser_compatibility","title":"Browser compatibility","isH3":false,"content":""}},{"type":"browser_compatibility","value":{"title":"html.elements.link.integrity","id":"html.elements.link.integrity","isH3":true,"query":"html.elements.link.integrity"}},{"type":"browser_compatibility","value":{"title":"html.elements.script.integrity","id":"html.elements.script.integrity","isH3":true,"query":"html.elements.script.integrity"}},{"type":"prose","value":{"id":"see_also","title":"See also","isH3":false,"content":"<ul>\n <li><a href=\"/en-US/docs/Web/HTTP/CSP\">Content Security Policy</a></li>\n <li>The <a href=\"/en-US/docs/Web/HTTP/Headers/Content-Security-Policy\"><code>Content-Security-Policy</code></a> HTTP header.</li>\n <li><a href=\"https://frederikbraun.de/using-subresource-integrity.html\" class=\"external\" target=\"_blank\">A CDN that can not XSS you: Using Subresource Integrity</a></li>\n <li><a href=\"https://www.srihash.org/\" class=\"external\" target=\"_blank\">SRI Hash Generator</a></li>\n</ul>"}}],"toc":[{"text":"How Subresource Integrity helps","id":"how_subresource_integrity_helps"},{"text":"Using Subresource Integrity","id":"using_subresource_integrity"},{"text":"Examples","id":"examples"},{"text":"How browsers handle Subresource Integrity","id":"how_browsers_handle_subresource_integrity"},{"text":"Specifications","id":"specifications"},{"text":"Browser compatibility","id":"browser_compatibility"},{"text":"See also","id":"see_also"}],"summary":"Subresource Integrity (SRI) is a security feature that enables browsers to verify that resources they fetch (for example, from a CDN) are delivered without unexpected manipulation. It works by allowing you to provide a cryptographic hash that a fetched resource must match.","popularity":0.0294,"modified":"2024-11-01T17:40:28.000Z","other_translations":[{"locale":"de","title":"Subresource Integrity","native":"Deutsch"},{"locale":"fr","title":"Subresource Integrity","native":"Français"},{"locale":"ja","title":"サブリソース完全性","native":"日本語"},{"locale":"ko","title":"하위 리소스 무결성","native":"한국어"},{"locale":"zh-CN","title":"子资源完整性","native":"中文 (简体)"}],"pageType":"guide","source":{"folder":"en-us/web/security/subresource_integrity","github_url":"https://github.com/mdn/content/blob/main/files/en-us/web/security/subresource_integrity/index.md","last_commit_url":"https://github.com/mdn/content/commit/8df009472bbc7f0fc8a69717e1493de02982ed66","filename":"index.md"},"short_title":"Subresource Integrity","parents":[{"uri":"/en-US/docs/Web","title":"References"},{"uri":"/en-US/docs/Web/Security","title":"Security on the web"},{"uri":"/en-US/docs/Web/Security/Subresource_Integrity","title":"Subresource Integrity"}],"pageTitle":"Subresource Integrity - Security on the web | MDN","noIndexing":false}}</script></body></html>

Pages: 1 2 3 4 5 6 7 8 9 10