Today I learned that you can actually specify different hash algorithms for Subresource Integrity (SRI) hashes.
If you aren’t familiar with SRI, this post does a good job explaining why it’s useful and how it would have mitigated the recent pollyfill.io incident.
I needed to add the hashes to some scripts from a third party CDN that didn’t provide them and I came across this handy generator which let’s you choose which algorithm to use and defaults to SHA-384 and report-uri has a generator that just includes all 3 different hashes in the integrity value.
So which one to use?
Apparently you can specify different hashes but there isn’t much value in doing so at the moment since all modern browsers support all of the available algorithms so you should just pick SHA512.
In the future however, newer algorithms might be implemented which you could add while maintaining backwards compatibility.