Skip to content

Fix CSP Hash for Static Inline Scripts and Styles

DodaTech Updated 2026-06-26 3 min read

In this tutorial, you'll learn about Fix CSP Hash for Static Inline Scripts and Styles. We cover key concepts, practical examples, and best practices.

Static inline scripts whose content never changes are common in web pages. Using 'unsafe-inline' to allow them defeats CSP security. Hash-based CSP allows you to compute a cryptographic hash of the script or style content and include that hash in the policy, granting execution only to content with the exact matching hash.

Wrong

The CSP uses 'unsafe-inline' to allow inline scripts, or the hash in the policy does not match the actual script content.

Content-Security-Policy: script-src 'self' 'unsafe-inline'
<script>
  var trackingId = 'UA-12345-6';
</script>

Any injected script can also execute. If using hashes, a common mistake is hashing the wrong content or using the wrong algorithm:

Content-Security-Policy: script-src 'self' 'sha256-abc123'
Refused to execute inline script because it violates the following Content
Security Policy directive: "script-src 'self' 'sha256-abc123'". Either the
'sha256-...' hash does not match the script content, or the script content was
modified after the hash was computed.

Compute the SHA-256 hash of the exact script content and include it in the CSP.

<script>
  var trackingId = 'UA-12345-6';
</script>

Compute the hash using the command line:

echo -n '  var trackingId = '\''UA-12345-6'\'';' | openssl dgst -sha256 -binary | base64

Or compute it in Node.js:

const crypto = require('crypto');
const scriptContent = '\n  var trackingId = \'UA-12345-6\';\n';
const hash = crypto.createHash('sha256').update(scriptContent).digest('base64');
console.log(`'sha256-${hash}'`);

Include the hash in the CSP:

Content-Security-Policy: script-src 'self' 'sha256-/F3T5YKhnxr2M1V9MqN6zV8Q3aB2pX1wY4Z5s6A7d8='
<script>
  var trackingId = 'UA-12345-6';
</script>

For inline styles:

<style>
  .highlight { color: red; }
</style>
Content-Security-Policy: style-src 'self' 'sha256-4f5g6h7j8k9l0m1n2o3p4q5r6s7t8u9v='

Prevention

  • Use SHA-256 for hashes. SHA-384 and SHA-512 can also be used but SHA-256 is universally supported.
  • Hash the exact content including whitespace, indentation, and newlines. A single extra space changes the hash.
  • Use openssl dgst -sha256 -binary | base64 on the command line for accurate hash computation.
  • When the inline content changes, the hash must be recalculated and the CSP updated.
  • For content that changes regularly, use a nonce instead of a hash.
  • Combine hashes with other script-src sources: script-src 'self' 'sha256-...' 'sha384-...'.

DodaTech Tools

Doda Browser computes and displays the required hash for blocked inline scripts directly in the console error message, making it easy to add the correct hash to your CSP. DodaZIP's build pipeline computes CSP hashes for all static inline scripts during the build process. Durga Antivirus Pro uses hash-based CSP for all its static analytics scripts.

FAQ

### How do I calculate the correct CSP hash?

The hash is computed from the entire script content including whitespace and newlines. Use the command echo -n 'EXACT_CONTENT' | openssl dgst -sha256 -binary | base64. The browser console error for a blocked script now includes the expected hash value, making it easy to copy directly into your CSP.

When should I use a hash instead of a nonce?

Use hashes for inline scripts or styles whose content is static and does not change between page loads. Use nonces for dynamic content that changes per request. Hashes are more efficient because they do not require server-side state, but every content change requires a CSP policy update.

Can I use multiple hashes in script-src?

Yes. You can include multiple hashes for different inline scripts: script-src 'self' 'sha256-abc123...' 'sha256-def456...' 'sha256-ghi789...'. Each hash allows one specific script content. The browser executes inline scripts only if their content hash matches one of the listed hashes.

Built by the developers of DodaTech

Doda Browser, DodaZIP & Durga Antivirus Pro