References

Beginner-friendly references for web development, with live, editable examples.

The HTML integrity attribute

Attribute All modern browsers Updated
Quick answer

The HTML integrity attribute lets the browser verify a fetched resource against a cryptographic hash (Subresource Integrity). It is used on the <script> and <link> elements.

Overview

The integrity attribute lets the browser verify a fetched resource against a cryptographic hash (Subresource Integrity). It applies to the <script> and <link> elements.

If the fetched file does not match the hash, the browser refuses to use it — protecting you from a compromised CDN. Pair it with crossorigin.

Syntax

<script src="https://cdn/lib.js" integrity="sha384-…" crossorigin="anonymous"></script>

Values

Value
One or more hashes prefixed by algorithm, e.g. sha384-….

Best practices

  • Declare the character encoding with <meta charset="utf-8"> first in the <head>.
  • Load scripts with defer (or as modules) so they do not block parsing.
  • Protect third-party resources with integrity and crossorigin (Subresource Integrity).
  • Use resource hints like preload deliberately, paired with the right as value.

Frequently asked questions

What does the integrity attribute do?
Verifies a resource against a hash (SRI).
Where do head attributes apply?
On the metadata elements in the <head><meta>, <link>, <script> and <base>.
What is the difference between async and defer?
async runs a script as soon as it loads in no set order; defer runs scripts in order after the document is parsed.
Which elements use the integrity attribute?
It is an element-specific attribute, used on document head elements like <meta>, <link> and <script>.