# Bad value X for attribute “integrity” on element “script”: Invalid base64-value (should be multiple of 4 bytes). > Canonical HTML version: https://rocketvalidator.com/html-validation/bad-value-x-for-attribute-integrity-on-element-script-invalid-base64-value-should-be-multiple-of-4-bytes > Attribution: Rocket Validator (https://rocketvalidator.com) > License: CC BY 4.0 (https://creativecommons.org/licenses/by/4.0/) The `integrity` attribute enables Subresource Integrity (SRI), a security feature that lets browsers verify that a fetched resource (such as a JavaScript file from a CDN) has not been tampered with. The attribute value follows the format `[algorithm]-[base64-encoded hash]`, where the algorithm is typically `sha256`, `sha384`, or `sha512`, and the hash is a base64 representation of the file's cryptographic digest. Base64 encoding works by converting binary data into a string of ASCII characters drawn from a 64-character alphabet. A key property of valid base64 is that the encoded output must always have a length that is a multiple of 4. When the raw binary data doesn't divide evenly, the output is padded with one or two `=` characters to reach the correct length. If the base64 string in your `integrity` attribute has an incorrect length — for instance, it was truncated, manually edited, or copied incompletely — the validator will flag it as invalid. This matters for several reasons: - **Security**: If the `integrity` value is malformed, the browser cannot verify the resource. Depending on the browser, it may block the script entirely, breaking your site's functionality. - **Standards compliance**: The HTML specification requires the hash portion to be a valid base64 string. An invalid value is a conformance error. - **Reliability**: A malformed hash will never match any file, so the SRI check will always fail, effectively making the script unusable. Common causes of this error include: - Copying the hash value incompletely (missing trailing `=` padding or other characters). - Manually modifying the hash string. - Using a tool that produced an incorrectly encoded output. - Mixing up base64 and base64url encodings (base64url uses `-` and `_` instead of `+` and `/`, and often omits padding). To fix the issue, regenerate the correct SRI hash for the exact file being referenced. You can do this with the command line: ``` openssl dgst -sha384 -binary script.js | openssl base64 -A ``` Or using `shasum` and `base64`: ``` shasum -b -a 384 script.js | awk '{print $1}' | xxd -r -p | base64 ``` Online tools like the [SRI Hash Generator](https://www.srihash.org/) can also produce the correct value. After generating the hash, prepend the algorithm prefix (e.g., `sha384-`) and verify that the base64 portion has a length divisible by 4. ## Examples ### Incorrect: Malformed base64 value The hash below is not a valid base64 string — its length is not a multiple of 4, and it contains the character `!`, which is not in the base64 alphabet. ```html ``` ### Incorrect: Truncated hash missing padding This hash has been accidentally truncated, losing the trailing `=` padding characters that make it a valid base64 string. ```html ``` ### Correct: Properly formatted SRI hash The base64 hash is the correct length (a multiple of 4) and uses only valid base64 characters. The trailing `T` completes the final 4-character group without needing padding in this case, but other hashes may end with `=` or `==`. ```html ``` ### Correct: Multiple hashes for fallback You can provide multiple hash values separated by spaces. Each one must be independently valid base64 with the correct length. ```html ``` Always ensure the hash is generated from the exact file the `src` attribute points to. If the CDN serves a different version or a minified variant, the hash will not match, and the browser will block the resource regardless of whether the base64 encoding is valid.