Generate CSP hashes for script-src and style-src.
Insert the exact content with or without the <script> or <style> tags. Make sure to include all spacing and newlines. The hash will be automatically generated as you type.
The hash should be included into your Content-Security-Policy under the correct directive (script-src or style-src). As an example:
I recommend moving all inline scripts to a seperate file, but using a hash can be good for getting started. If the Javascript changes, the hash will need to be updated, which can cause issues if not everyone on the team is familiar with CSP. But if the javascript is in a file, it can be modified without issues.
You can check if the hash is working by opening the browser console. If the hash is incorrect, you will see a message in the console. If the hash is correct, you will not see any messages. If the hash is incorrect the browser will tell you the correct hash.
To see what this looks like, open the browser console on this current page. The current page is intentionally missing the following script-src 'sha256-eDD3ARH7WqXlzieuQm69j+6EQuVXw8PhWpK3CE8BvIs='.
If you'd like to use inline event handlers (for example an 'onclick' handler), you will need to include the 'unsafe-hashes' directive as part of script-src.
Yes, it is just 'sha256-' + base64(sha256(content)). Every (modern/reasonable) programming language has support for both base64 and sha256. Here's an example for generating the hash in bash using openssl:
echo -n 'var a = 1;' | openssl dgst -binary -sha256 | openssl base64 For any specific technical questions, I recommend checking out the CSPv3 spec. If it's a browser specific question, the browser vendors have their own documentation which is also quite good. If you are a Csper customer, feel free to email support.