CSP Hash Calculator
Generate SHA-256 hashes for inline scripts. Copy the hash directly into your Content Security Policy.
Calculating... Calculating... Calculating... Calculating... ...About This Tool
When you need to allow specific inline scripts or styles in your Content Security Policy (CSP) without using ‘unsafe-inline’, you can use cryptographic hashes. This tool calculates the SHA-256 hash of your content in the exact base64 format that browsers expect.
Features
Real-time calculation — hash updates instantly as you type or paste
Multiple algorithms — supports SHA-256, SHA-384, and SHA-512
Ready-to-use directives — get the full
‘sha256-…’string or the completescript-srclineAutomatic cleanup — removes leading/trailing whitespace automatically if selected
Client-side only — your sensitive scripts are never sent to a server
How to Use
Paste your inline script or style content (excluding
<script>or<style>tags)- Copy the generated hash or full CSP directive
Add the hash to your
script-srcorstyle-srcdirective in your Nginx/Apache config or meta tag
Important Notes
Exact matching — Any change to the script (even a single space or newline) will result in a completely different hash and cause the browser to block the script.
No tags — Do not include the
<script>or<style>HTML tags themselves, only the inner content.Dynamic scripts — If your script contains dynamic values (like a user ID), hashes won’t work. Consider using
nonces
instead.
See
the complete CSP guide
for best practices
Privacy
Security is the priority. All cryptographic operations are performed locally in your browser using the Web Crypto API. Your script content is never transmitted over the network.
Linux Command Reference
You can also calculate these hashes manually in your terminal using standard Linux utilities.