CSP Hash Calculator

Generate secure hashes for your inline scripts and styles to use in your Content Security Policy.

Understanding CSP Hashes and Nonces

Learn about the two powerful mechanisms CSP provides for securing inline scripts and styles.

Hashes

A hash is a cryptographic fingerprint of your inline script or style content. When you include a hash in your CSP header, the browser verifies that the hash of encountered inline content matches the allowed hash.

  • Calculate hash of inline content (not the entire tag)
  • Include hash in CSP header with algorithm prefix (e.g., sha256-)
  • Requires 'unsafe-hashes' keyword in CSP

Example of using hashes with CSP

<!-- Original inline script -->
                    <script>
                    console.log('Hello from inline script!');
                    </script>
                    
                    <!-- CSP Header -->
                    Content-Security-Policy: script-src 'sha256-jzgBGA4UWFFmpC6hS8HmB1FfsW5gPDyFF8R8gAAlR8=' 'unsafe-hashes';

Nonces

A nonce is a unique random value generated for each request. It's added to both the CSP header and the script/style tags you want to allow.

  • Server generates unique random value per request
  • Add nonce to both CSP header and script/style tags
  • Works well with 'strict-dynamic' directive

Example of using nonces with CSP

<!-- CSP Header -->
                    Content-Security-Policy: script-src 'nonce-EDNnf03nceIOfnmax-w-649h3sdfa' 'strict-dynamic';
                    
                    <!-- HTML -->
                    <script nonce="EDNnf03nceIOfn39fn3e9h3sdfa" src="main.js"></script>
                    <script nonce="EDNnf03nceIOfn39fn3e9h3sdfa">
                    console.log("Inline script with nonce");
                    </script>

Frequently Asked Questions

Common questions about CSP hashes and nonces.

When should I use hashes vs nonces?

Use hashes for small, static inline scripts/styles. Use nonces for modern web applications with dynamic content and server-side rendering.

Do I need to recalculate hashes?

Yes, you must recalculate hashes whenever the inline content changes. Nonces, on the other hand, are generated fresh for each request.

Should i use hashes or nonces?

Both are more secure than using 'unsafe-inline'. Nonces are generally preferred for modern applications due to better security and easier management of dynamic content.

Ready to Secure Your Website?

Start using our hash calculator to generate secure hashes for your Content Security Policy.