Sign Up for Free

RunKit +

Try any Node.js package right in your browser

This is a playground to test code. It runs a full Node.js environment and already has all of npm’s 400,000 packages pre-installed, including grunt-sri with all npm packages installed. Try it out:

require("grunt/package.json"); // grunt is a peer dependency. var gruntSri = require("grunt-sri")

This service is provided by RunKit and is not affiliated with npm, Inc or the package authors.

grunt-sri v0.2.0

Client-side caching & SRI generation for Grunt


Build Status Dependencies Status Dev Dependencies Status

This tool generates a JSON manifest of file hashes & sub-resource integrity data.


npm install --save-dev grunt-sri


Add the following to your Gruntfile.js:

module.exports = function (grunt) {
    "use strict";


        "sri": {

            // Use the default settings for *everything* in ./public/css
            "bobsDefaultTask": {
                "src": [

            // Create a second manifest with custom settings
            "janesCustomTask": {
                "options": {
                    "algorithms": ["sha256"],
                    "dest": "./public/sri-directives.json",
                    "targetProp": "payload"
                "files": [
                        src: "public/css/example.css",
                        type: "text/css",
                        id: "cssfile1"
                        src: "public/css/other.css"



    grunt.registerTask("default", ["sri"]);

Run the command grunt. The manifest file will be created.


  • String dest: Target JSON file.
    Default "./payload.json"
  • Boolean merge: Merge results with existing JSON file.
    Default false (overwrite)
  • Array algorithms: List of desired hash algorithms.
    Default ["sha256", "sha512"]
  • String targetProp: Target JS object property name.
    Default null
  • Boolean pretty: Stringify the JSON output in a pretty format.
    Default false


Metadata is stored in JSON format.

  • The default manifest dest is ./payload.json.
  • File paths are relative to the CWD of Grunt.
    This should be the project root.
  • File identifiers are prefixed with the "@" symbol.
    If no ID is specified, the path will be used.


    "@cssfile1": {
        "path": "public/css/example.css",
        "type": "text/css",
        "integrity": "type:text/css sha256-XXXX sha512-XXXXXXXX",
        "hashes": {
            "sha256": "XXXX",
            "sha512": "XXXXXXXX"


Data from the manifest can be loaded into markup. Use the integrity property for SRI integrity attributes, a hash from hashes as a URL parameter for client-side caching, etc.


// In production, consider compiling JSON to PHP assoc arrays
$payload = json_decode(file_get_contents("./payload.json"), true);
$sri = function (id) {
    return $payload["payload"][id];

$element = "<link
    href='/style.css?cache={ sri("@cssfile1")["hashes"]["sha256"] }'
    integrity='{ $sri("@cssfile1")["integrity"] }'


Note: Node apps should use subresource or handlebars-helper-sri, which don't require a build step.

// ES6
var payload = require("./payload.json");
var sri = (id) => payload.payload[id];

var element = `<link
    href='/style.css?cache=${ sri("@cssfile1").hashes.sha256 }'
    integrity='${ sri("@cssfile1").integrity }'


This tool follows SemVer from v0.1.0, as SRI is now a W3C recommendation.

Changes to the V1 SRI spec will be tracked with minor releases.

RunKit is a free, in-browser JavaScript dev environment for prototyping Node.js code, with every npm package installed. Sign up to share your code.
Sign Up for Free