Tutorials References Menu

HTML <script> integrity Attribute

❮ HTML <script> tag

Example

Link to a CDN, using both the integrity and crossorigin atributes:

<script src="https://code.jquery.com/jquery-3.3.1.slim.min.js"
integrity="sha384-q8i/X+965DzO0rT7abK41JStQIAqVgRVzpbzo5smXKp4YfRvH+8abtTE1Pi6jizo"
crossorigin="anonymous">
</script>

Definition and Usage

The integrity attribute allows a browser to check the fetched script to ensure that the code is never loaded if the source has been manipulated.

Subresource Integrity (SRI) is a W3C specification that allows web developers to ensure that resources hosted on third-party servers have not been altered. Use of SRI is recommended!

When using SRI, the webpage holds the hash and the server holds the file (the .js file in this case). The browser downloads the file, then checks it, to make sure that it is a match with the hash in the integrity attribute. If it matches, the file is used, and if not, the file is blocked.

You can use an online SRI hash generator to generate integrity hashes: SRI Hash Generator


Browser Support

The numbers in the table specify the first browser version that fully supports the attribute.

Attribute
integrity 45.0 17.0 43.0 13.0 66.0

Syntax

<script integrity="filehash">

Attribute Values

Value Description
filehash The file hashing value of the external script file

❮ HTML <script> tag