Download large files.
Verify. Resume.
4GB AI model, network drops at 3.8GB? Resume from 3.8GB, not zero.
2MB memory for any file size. Detect corruption instantly. Multi-CDN failover.
import { verifyFetch } from 'verifyfetch';
const response = await verifyFetch('/model.bin', {
sri: 'sha256-uU0nuZNN...'
});
// Throws if tampered. Zero config.Why VerifyFetch?
fetch() has integrity, but it buffers the entire file first.
A 4GB AI model needs 4GB+ RAM just to verify the hash.
Large WASM modules and AI models? Native verification crashes your browser.
One CDN compromise = malicious code in your users' browsers.
It's happened before.Polyfill.io
100,000+ sites compromised via CDN takeover
ua-parser-js
7M weekly downloads served malware
event-stream
Bitcoin wallet credentials stolen
Why Not Just Use Native fetch({ integrity })?
Native fetch has basic SRI verification, but VerifyFetch adds streaming, resumable downloads, and fail-fast chunked verification.
| Feature | Native fetch | VerifyFetch |
|---|---|---|
| Basic SRI Verification | ||
| Progress Callbacks | ||
| Streaming Output | ||
| Service Worker Mode | ||
| Chunked Verification (Fail-Fast) | ||
| Multi-CDN Failover | ||
| Fallback URLs | ||
| Manifest System | ||
| CI/CD Enforcement |
Service Worker mode lets you protect every fetch in your app with zero code changes. Just add one line to your service worker.
Free Security Tools
Free browser-based tools to help you secure your applications. No installation required.
Polyfill Scanner
Scan any website for vulnerable scripts. Detect missing SRI, compromised CDNs, and supply chain risks.
SRI Generator
Generate SRI hashes for your files, create Ed25519 keypairs, and build verification manifests.
Playground
Try VerifyFetch in your browser. Edit code, explore examples, and see the memory benefits live.
What You Get
Everything needed to download, verify, and resume large files in the browser.
Service Worker Mode
Add one file, verify all fetches. No changes to existing code needed.
Chunked Verification
Detect corruption at chunk 5, stop immediately. Don't download 3995 more chunks.
Multi-CDN Failover
Try CDN1, CDN2, CDN3. First verified response wins.
Streaming Output
2MB memory for a 4GB file. Process chunks as they arrive.
Resumable Downloads
Network fails at 80%? Resume from 80%. Progress persists to IndexedDB.
Progress Tracking
Bytes loaded, percent complete, ETA. All in one callback.
Manifest System
One JSON file for all your hashes. CLI generates it from your files.
CLI Tools
npx verifyfetch sign *.wasm - done. Enforce in CI with one command.
Simple API, Real Protection
Multiple ways to protect your assets. Choose what fits your needs.
import { verifyFetch } from 'verifyfetch';
// Verify a file against its SRI hash
const response = await verifyFetch('/model.bin', {
sri: 'sha256-uU0nuZNNPgilLlLX2n2r+sSE7+N6U4DukIj3rOLvzek='
});
// That's it. Throws IntegrityError if hash doesn't match.
const model = await response.arrayBuffer();Built for Critical Assets
Protect the files that power your application.
WebAssembly
Verify .wasm modules before instantiation. Protect your compiled code.
/engine.wasmAI Models
Secure multi-GB model downloads. WebLLM, ONNX, transformers.js.
/models/phi-3-mini.binConfig Files
Ensure critical JSON/YAML isn't tampered. Settings, schemas, rules.
/config/settings.jsonAny Binary
Fonts, images, data files. If you fetch it, verify it.
/assets/data.binGet Started in 30 Seconds
Four steps to protect your users from supply chain attacks.
Install
npm install verifyfetchGenerate hashes
npx verifyfetch sign ./public/*.wasm ./models/*.binVerify in your app
import { verifyFetch } from 'verifyfetch';
const res = await verifyFetch('/engine.wasm', {
sri: 'sha256-...'
});Enforce in CI
npx verifyfetch enforce --manifest ./vf.manifest.json