VerifyFetch

Verify any file you fetch
—before you trust it.

Streaming integrity verification for WASM, AI models, and large files.
SRI for fetch() with constant 2MB memory.

Get StartedView on GitHub
import { verifyFetch } from 'verifyfetch';

const response = await verifyFetch('/model.bin', {
  sri: 'sha256-uU0nuZNN...'
});

// That's it. Throws if hash doesn't match.

Why VerifyFetch?

Browser SRI only works on <script> tags.

Your fetch() calls are completely unprotected.

Your WASM modules, AI models, and binary files? Completely unverified.

One CDN compromise = malicious code in your users' browsers.

It's happened before.
2024

Polyfill.io

100,000+ sites compromised via CDN takeover

2021

ua-parser-js

7M weekly downloads served malware

2018

event-stream

Bitcoin wallet credentials stolen

The Problem with Native crypto.subtle

Native hashing loads the entire file into memory before computing. VerifyFetch streams—constant memory for any file size.

100 MBFile Size4 GB

crypto.subtle.digest()

Slow, RAM spike

Memory usage

VerifyFetch

2 MB

Constant memory usage

File SizeNativeVerifyFetch
100 MB100 MB2 MB
500 MB500 MB2 MB
1 GBSlow, RAM spike2 MB
2 GBCrashes2 MB
4 GBCrashes2 MB

Free Security Tools

Powerful browser-based tools to help you secure your applications. No installation required.

Polyfill Scanner

Scan any website for vulnerable scripts. Detect missing SRI, compromised CDNs, and supply chain risks.

Try it free

SRI Generator

Generate SRI hashes for your files, create Ed25519 keypairs, and build verification manifests.

Try it free

Playground

Try VerifyFetch in your browser. Edit code, explore examples, and see the memory benefits live.

Try it free

Everything You Need

Built for security-conscious developers who need to verify files at any scale.

Streaming Verification

WASM-based SHA-256/384/512 with constant 2MB memory for any file size.

Fallback URLs

Auto-retry from backup servers on integrity failure.

Progress Tracking

Monitor large downloads with real-time progress callbacks.

Manifest Mode

Manage multiple files with a single JSON manifest.

CLI Tools

Generate hashes and enforce integrity in CI/CD pipelines.

TypeScript Ready

Full type safety with detailed JSDoc documentation.

Simple API, Powerful Protection

One function. Any file size. Zero memory issues.

import { verifyFetch } from 'verifyfetch';

// Verify a file against its SRI hash
const response = await verifyFetch('/model.bin', {
  sri: 'sha256-uU0nuZNNPgilLlLX2n2r+sSE7+N6U4DukIj3rOLvzek='
});

// That's it. Throws IntegrityError if hash doesn't match.
const model = await response.arrayBuffer();

Built for Critical Assets

Protect the files that power your application.

WebAssembly

Verify .wasm modules before instantiation. Protect your compiled code.

/engine.wasm

AI Models

Secure multi-GB model downloads. WebLLM, ONNX, transformers.js.

/models/phi-3-mini.bin

Config Files

Ensure critical JSON/YAML isn't tampered. Settings, schemas, rules.

/config/settings.json

Any Binary

Fonts, images, data files. If you fetch it, verify it.

/assets/data.bin

Get Started in 30 Seconds

Four steps to protect your users from supply chain attacks.

1

Install

npm install verifyfetch
2

Generate hashes

npx @verifyfetch/cli sign ./public/*.wasm
3

Verify in your app

import { verifyFetch } from 'verifyfetch';

const res = await verifyFetch('/engine.wasm', {
  sri: 'sha256-...'
});
4

Enforce in CI

npx @verifyfetch/cli enforce
Read the Full Documentation