The HTML integrity attribute
Quick answer
The HTML integrity attribute lets the browser verify a fetched resource against a cryptographic hash (Subresource Integrity). It is used on the <script> and <link> elements.
Overview
The integrity attribute lets the browser verify a fetched resource against a cryptographic hash (Subresource Integrity). It applies to the <script> and <link> elements.
If the fetched file does not match the hash, the browser refuses to use it — protecting you from a compromised CDN. Pair it with crossorigin.
Syntax
<script src="https://cdn/lib.js" integrity="sha384-…" crossorigin="anonymous"></script>
Values
| Value |
|---|
One or more hashes prefixed by algorithm, e.g. sha384-…. |
Best practices
- Declare the character encoding with <meta charset="utf-8"> first in the <head>.
- Load scripts with defer (or as modules) so they do not block parsing.
- Protect third-party resources with integrity and crossorigin (Subresource Integrity).
- Use resource hints like preload deliberately, paired with the right as value.
Frequently asked questions
What does the integrity attribute do?
Verifies a resource against a hash (SRI).