Learn · Hashes

CSP hashes and SRI, explained

When to use an inline CSP hash, when to use Subresource Integrity, and how to choose the right workflow for the script you're trying to trust.

The fast distinction

If the code lives inside your HTML, you're usually dealing with a CSP hash. If the browser downloads the file from a URL, you're usually dealing with SRI.

They are both content-based trust signals, but they plug into different parts of the browser security model. One authorizes inline execution through the CSP header. The other verifies the contents of an external file before the browser uses it.

What each one is for

Inline CSP hashes

Use a CSP hash when a script or style lives directly in the HTML and the contents are stable. The browser compares the exact bytes in the inline block to the hash you shipped in script-src or style-src.

  • Good fit for static bootstrap snippets, analytics init blocks, and generated marketing pages.
  • Whitespace and line breaks matter. Hash the exact deployed contents without the wrapping tag.
  • Every inline block needs its own hash value.

SRI hashes

Use Subresource Integrity when a script or stylesheet loads from a URL. The browser compares the fetched file to the integrity attribute on the tag before it executes.

  • Good fit for CDN assets and third-party files you want to pin to a known version.
  • Hash the production file, not an unminified local copy.
  • Most teams default to sha384 for SRI because it is broadly documented and widely used.

How they work together

CSP hashes and SRI solve related but different problems. CSP hashes help you allow known inline code in a strict policy. SRI helps you verify external files have not changed unexpectedly.

  • Use inline hashes to avoid 'unsafe-inline' in script-src and style-src.
  • Use SRI for third-party or CDN assets, especially when the file executes with high privilege on sensitive pages.
  • A mature setup often uses both: strict CSP for inline control and SRI for external integrity.

A practical workflow

  1. 1. Identify the source. Is it an inline block in the document or an external asset loaded from a URL?
  2. 2. Hash the deployed bytes. For inline code, paste the exact block contents without the wrapping tag. For external assets, hash the production file contents or fetch the public asset URL.
  3. 3. Put the value in the right place. CSP hashes go in script-src or style-src. SRI hashes go in the tag's integrity attribute.
  4. 4. Regenerate when the bytes change. If the inline block or external file changes, the old hash is no longer valid.

References and tools

MDN's Content Security Policy guide is the best broad reference for CSP deployment, while MDN's Subresource Integrity guide explains when and how integrity checks apply to external files.

Need to compute one now? Use the hash calculator for inline CSP hashes or the SRI hash calculator for external assets.

Get started

Sign up for Consepo for free

Run unlimited browser-rendered CSP scans, generate production-ready policies, and export deployment snippets — no credit card required.

Create free accountRun a free scan