The integrity attribute enables Subresource Integrity (SRI)—a security feature that lets the browser verify an external resource (such as a JavaScript file or stylesheet) has not been tampered with. You provide a cryptographic hash of the expected file content; if the downloaded bytes do not match, the browser blocks the resource instead of running or applying it.
What You’ll Learn
01
SRI Basics
Hash verification.
02
script & link
Where it applies.
03
sha256/384/512
Hash algorithms.
04
crossorigin
Required for CDN SRI.
05
Generate Hash
openssl / SRI tools.
06
Update on Change
Keep hashes in sync.
Fundamentals
Purpose of integrity Attribute
The primary purpose of the integrity attribute is to verify that external resources fetched by the browser match the content you expect. This protects users if a CDN is compromised, a man-in-the-middle attack alters a file, or a cached copy differs from the version you audited.
Without SRI, the browser blindly trusts whatever file the URL returns. With integrity, a hash mismatch causes the browser to reject the script or stylesheet—preventing injected or modified code from executing on your page.
🔒
Pair with crossorigin
Cross-origin SRI requires CORS-enabled fetching. Add crossorigin="anonymous" on the same <script> or <link> element when loading from a CDN on another domain.
Foundation
📝 Syntax
Add integrity to a <script> or <link> element that loads an external file:
If the hash matches example.js, the script executes. If the CDN serves altered content, the browser refuses to run it and logs an integrity error in DevTools.
How It Works
The browser downloads example.js, hashes the bytes with SHA-384, base64-encodes the result, and compares it to the value after sha384- in the attribute. Only a perfect match allows execution.
Example — External Stylesheet with SRI
Apply the same protection to CSS loaded from a CDN:
In production, declare integrity directly in HTML or inject it before inserting the element into the document. Setting it after the file has already loaded does not retroactively verify the first fetch.
How It Works
The example computes a SHA-256 hash of known content and assigns it to the script element. For static CDN assets, generate hashes at build time and embed them in your HTML template instead of computing in the browser.
A11y
♿ Accessibility
Blocked scripts can break functionality — If SRI rejects a critical script, interactive features may fail. Monitor the console and provide fallbacks for essential UI.
Do not block required styles silently — A failed stylesheet can harm layout and readability. Test after every hash update.
Security benefits all users — SRI helps protect everyone, including assistive technology users, from injected malicious content.
Document CDN dependencies — Keep a list of external assets with hashes so updates remain accessible to the whole team.
🧠 How integrity Works
1
Author embeds expected hash
integrity + crossorigin on script/link.
Markup
2
Browser fetches resource
CDN or third-party server responds.
Network
3
Browser hashes response
Compares to integrity attribute.
Verify
=
🔒
Trusted resource only
Match runs CSS/JS. Mismatch blocks tampered files.
Compatibility
Browser Support
Subresource Integrity is supported in all modern browsers for <script> and <link rel="stylesheet">. Use crossorigin with cross-origin CDN assets for reliable SRI checks.
✓ HTML5 · Fully supported
Modern SRI support
Chrome, Firefox, Safari, and Edge enforce integrity on external scripts and stylesheets.
98%Browser support
Google ChromeFully supported
Full support
Mozilla FirefoxFully supported
Full support
Apple SafariFully supported
Full support
Microsoft EdgeFully supported
Full support
Internet ExplorerNot supported
No SRI
OperaFully supported
Full support
integrity attribute (SRI)98% supported
Bottom line: Use SRI on CDN scripts and stylesheets in all modern browsers; pair with crossorigin for cross-origin files.
Pro Tips
💡 Best Practices
✅ Do
Add integrity to critical CDN scripts and stylesheets
Pair with crossorigin="anonymous" on cross-origin assets
Regenerate hashes when you upgrade library versions
Automate hash generation in your build pipeline
Monitor the console for SRI failures after deployments
❌ Don’t
Use placeholder hashes like sha256-abc123 in production
Forget to update integrity after editing the external file
Skip crossorigin on cross-origin SRI tags
Assume SRI replaces other security measures (CSP, HTTPS)
Set integrity only after the browser has already fetched the file
Wrap Up
Conclusion
The integrity attribute is a valuable tool for enhancing the security of web applications through Subresource Integrity. It lets browsers verify that external scripts and stylesheets have not been altered since you approved them.
By generating accurate hashes, pairing with crossorigin, and updating values whenever files change, you can reduce the risk of CDN compromise and supply-chain attacks while keeping your pages trustworthy for users.
Five truths every developer should know about integrity
Bookmark these before loading CDN assets.
5
Core concepts
🔒01
SRI
Verify file bytes.
Security
📄02
script & link
External resources
Scope
🔢03
sha384-...
Hash format
Values
🌐04
crossorigin
CDN requirement
CORS
🔄05
Update hash
On every file change
Maintenance
❓ Frequently Asked Questions
It enables Subresource Integrity (SRI). The browser hashes the downloaded file and compares it to your expected hash. If they differ, the script or stylesheet is blocked.
<script src="..."> and <link rel="stylesheet" href="..."> (plus some preload links). Inline scripts without src do not use integrity.
Cross-origin resources must be fetched in CORS mode for the browser to read the response body and compute a hash. Use crossorigin="anonymous" on CDN tags.
Hash the file bytes with SHA-256, SHA-384, or SHA-512, base64-encode the digest, and prefix with the algorithm name (e.g. sha384-). Use OpenSSL or an SRI hash generator tool.
The browser refuses to execute the script or apply the stylesheet and logs an integrity error in the developer console. Your page may miss functionality or styling until the hash is corrected.
Yes, with setAttribute("integrity", "sha384-..."), but for first-load verification the attribute should be present before the browser requests the file. Build-time embedding is preferred for static assets.