node package manager
It’s your turn. Help us improve JavaScript. Take the 2017 JavaScript Ecosystem Survey »



Build Status Dependencies Status Dev Dependencies Status

This tool generates a JSON manifest of file hashes & sub-resource integrity data.


npm install --save-dev grunt-sri


Add the following to your Gruntfile.js:

module.exports = function (grunt) {
    "use strict";
        "sri": {
            // Use the default settings for *everything* in ./public/css 
            "bobsDefaultTask": {
                "src": [
            // Create a second manifest with custom settings 
            "janesCustomTask": {
                "options": {
                    "algorithms": ["sha256"],
                    "dest": "./public/sri-directives.json",
                    "targetProp": "payload"
                "files": [
                        src: "public/css/example.css",
                        type: "text/css",
                        id: "cssfile1"
                        src: "public/css/other.css"
    grunt.registerTask("default", ["sri"]);

Run the command grunt. The manifest file will be created.


  • String dest: Target JSON file.
    Default "./payload.json"
  • Boolean merge: Merge results with existing JSON file.
    Default false (overwrite)
  • Array algorithms: List of desired hash algorithms.
    Default ["sha256", "sha512"]
  • String targetProp: Target JS object property name.
    Default null
  • Boolean pretty: Stringify the JSON output in a pretty format.
    Default false


Metadata is stored in JSON format.

  • The default manifest dest is ./payload.json.
  • File paths are relative to the CWD of Grunt.
    This should be the project root.
  • File identifiers are prefixed with the "@" symbol.
    If no ID is specified, the path will be used.


    "@cssfile1": {
        "path": "public/css/example.css",
        "type": "text/css",
        "integrity": "type:text/css sha256-XXXX sha512-XXXXXXXX",
        "hashes": {
            "sha256": "XXXX",
            "sha512": "XXXXXXXX"


Data from the manifest can be loaded into markup. Use the integrity property for SRI integrity attributes, a hash from hashes as a URL parameter for client-side caching, etc.


// In production, consider compiling JSON to PHP assoc arrays
$payload = json_decode(file_get_contents("./payload.json"), true);
$sri = function (id) {
    return $payload["payload"][id];
$element = "<link
    href='/style.css?cache={ sri("@cssfile1")["hashes"]["sha256"] }'
    integrity='{ $sri("@cssfile1")["integrity"] }'


Note: Node apps should use subresource or handlebars-helper-sri, which don't require a build step.

// ES6 
var payload = require("./payload.json");
var sri = (id) => payload.payload[id];
var element = `<link
    href='/style.css?cache=${ sri("@cssfile1").hashes.sha256 }'
    integrity='${ sri("@cssfile1").integrity }'


This tool follows SemVer from v0.1.0, as SRI is now a W3C recommendation.

Changes to the V1 SRI spec will be tracked with minor releases.