Free Tool
Content Security Policy Hash Calculator
Build one Content Security Policy hash at a time for inline <script> or <style> content. The digest is over the exact bytes you paste—whitespace and newlines must match production.
Inline Content
Paste the exact inline block content, without the wrapping tag.
Selected: script-src. Paste only what sits inside <script>…</script>, not the tags themselves.
Shortest token and the one most examples use. Strong enough for Content Security Policy; best default when you want a smaller policy string.
Hash exact bytes
CSP hashes are sensitive to every character in the inline block. Copy the production script or style body after templating, minification, and whitespace changes have already happened.
Use hashes sparingly
A hash is useful for a small inline bootstrap, analytics snippet, or critical style block. For frequently changing code, prefer an external asset or a per-request nonce instead of updating the policy on every deploy.
Deploy with context
Add the generated token to the matching directive, usually script-src or style-src. Test in Report-Only mode before enforcing so real browsers can reveal any missed inline blocks.