Fix CSP Hash for Static Inline Scripts and Styles
In this tutorial, you'll learn about Fix CSP Hash for Static Inline Scripts and Styles. We cover key concepts, practical examples, and best practices.
Static inline scripts whose content never changes are common in web pages. Using 'unsafe-inline' to allow them defeats CSP security. Hash-based CSP allows you to compute a cryptographic hash of the script or style content and include that hash in the policy, granting execution only to content with the exact matching hash.
Wrong
The CSP uses 'unsafe-inline' to allow inline scripts, or the hash in the policy does not match the actual script content.
Content-Security-Policy: script-src 'self' 'unsafe-inline'
<script>
var trackingId = 'UA-12345-6';
</script>
Any injected script can also execute. If using hashes, a common mistake is hashing the wrong content or using the wrong algorithm:
Content-Security-Policy: script-src 'self' 'sha256-abc123'
Refused to execute inline script because it violates the following Content
Security Policy directive: "script-src 'self' 'sha256-abc123'". Either the
'sha256-...' hash does not match the script content, or the script content was
modified after the hash was computed.
Right
Compute the SHA-256 hash of the exact script content and include it in the CSP.
<script>
var trackingId = 'UA-12345-6';
</script>
Compute the hash using the command line:
echo -n ' var trackingId = '\''UA-12345-6'\'';' | openssl dgst -sha256 -binary | base64
Or compute it in Node.js:
const crypto = require('crypto');
const scriptContent = '\n var trackingId = \'UA-12345-6\';\n';
const hash = crypto.createHash('sha256').update(scriptContent).digest('base64');
console.log(`'sha256-${hash}'`);
Include the hash in the CSP:
Content-Security-Policy: script-src 'self' 'sha256-/F3T5YKhnxr2M1V9MqN6zV8Q3aB2pX1wY4Z5s6A7d8='
<script>
var trackingId = 'UA-12345-6';
</script>
For inline styles:
<style>
.highlight { color: red; }
</style>
Content-Security-Policy: style-src 'self' 'sha256-4f5g6h7j8k9l0m1n2o3p4q5r6s7t8u9v='
Prevention
- Use SHA-256 for hashes. SHA-384 and SHA-512 can also be used but SHA-256 is universally supported.
- Hash the exact content including whitespace, indentation, and newlines. A single extra space changes the hash.
- Use
openssl dgst -sha256 -binary | base64on the command line for accurate hash computation. - When the inline content changes, the hash must be recalculated and the CSP updated.
- For content that changes regularly, use a nonce instead of a hash.
- Combine hashes with other
script-srcsources:script-src 'self' 'sha256-...' 'sha384-...'.
DodaTech Tools
Doda Browser computes and displays the required hash for blocked inline scripts directly in the console error message, making it easy to add the correct hash to your CSP. DodaZIP's build pipeline computes CSP hashes for all static inline scripts during the build process. Durga Antivirus Pro uses hash-based CSP for all its static analytics scripts.
FAQ
Built by the developers of DodaTech
Doda Browser, DodaZIP & Durga Antivirus Pro