Free Subresource Integrity (SRI) Checker
Subresource Integrity lets browsers reject a third-party script or stylesheet whose contents have changed. We verify every declared integrity hash against the bytes actually loaded, flag mismatches, and list cross-origin resources that have no SRI at all.
Hash Verification
We recompute SHA-256/384/512 of each loaded script and stylesheet and compare against the declared integrity attribute, a green tick means it genuinely matches.
Mismatch Detection
A declared hash that doesn't match the delivered bytes can mean tampering, a compromised CDN, or a stale value the browser will block. We flag it.
Missing SRI
Third-party scripts and styles without SRI are a supply-chain risk, if the CDN is compromised, malicious code runs on your site. We list every unprotected resource.
What is Subresource Integrity?
SRI is a security feature that lets you add an integrity hash to a <script> or <link> tag. The browser only executes the resource if its content matches the hash, protecting you from a third party silently changing the file. It's a core defense against Magecart-style supply-chain attacks.
It checks both coverage and correctness in a single pass: which resources carry SRI, whether those hashes still match, and which third-party assets have none.
Frequently Asked Questions About Subresource Integrity
What is Subresource Integrity (SRI)?
Subresource Integrity is a browser security feature that lets you attach an integrity hash to a <script> or <link> tag. The browser only runs the resource if its contents hash to the expected value, so a compromised CDN or tampered third-party file is blocked instead of executed. It is a core defense against Magecart-style supply-chain attacks.
How does this SRI checker work?
We load your page in a real browser and capture the exact bytes of every script and stylesheet. For each resource that declares an integrity attribute, we recompute the SHA-256, SHA-384, and SHA-512 hashes and compare them to the declared value. Resources that match are marked verified, mismatches are flagged, and cross-origin resources with no integrity attribute are listed as unprotected.
What does an SRI integrity mismatch mean?
A mismatch means the declared integrity hash does not match the bytes actually delivered. This can indicate tampering or a compromised CDN, or simply a stale hash left in place after the file was updated. In every case the browser will refuse to load the resource, so a mismatch is worth investigating immediately.
Which resources should use Subresource Integrity?
SRI matters most for third-party scripts and stylesheets loaded from a CDN or another domain, where you do not control the file. Add the integrity and crossorigin attributes to those tags so a change to the upstream file cannot silently inject code into your site. Same-origin resources benefit less because you already control them.
Is the SRI checker free?
Yes, the Subresource Integrity checker is free with no registration. To also scan for vulnerable JavaScript libraries, exposed secrets, weak security headers, and SSL/TLS issues, run a full ScanTower scan from the link below.
Want the Complete Picture?
FREEThis SRI Check is great for a quick check, but our Full Security Scan gives you a comprehensive security audit in one go.