CSP Nonce/Hash Helper
Diagnose security headers and policies in your browser. No input is sent to a server. Use it for first-pass checks before rollout.
Status
Runs in your browser. No input is sent to a server. Use this as a first-pass diagnostic step.
How to use
Paste script/style content and click “Compute Hash”, or use “Generate Nonce”. CSP-ready values are output.
Notes (this tool)
- Nonces should be generated per request.
About this page
What does this tool do?
Generate nonces and compute script/style hashes (sha256/384/512).
A helper to build CSP script-src/style-src policies quickly.
Typical use cases
- Allow inline scripts (nonce/hash)
- Add hashes to reduce CSP violations
- Quickly test nonce/hashes in staging
Nonce vs hash
A nonce is a per-request random value embedded in target scripts/styles.
A hash is computed from inline content and can be reused if content is unchanged.
What this tool does
- Generate nonce (Base64)
- Compute SHA-256/384/512 hashes for script/style
- Output CSP-ready nonce-/sha256- values
Debugging workflow (recommended)
- Paste target security headers
- Check missing and overly permissive policies
- Validate with Report-Only and phased rollout
Operational notes
- Recommended values are environment-dependent. Validate against functional requirements before applying.
- In production, use phased rollout with report monitoring.
Referenced specs
- CSP Level 3 (W3C)
- MDN: Content-Security-Policy
FAQ
Should I use nonce or hash?
Nonce is usually easier for dynamic templates, while hash works well for fixed inline content.
Can the same nonce be reused?
No. Best practice is generating a fresh nonce per request.
References
Next to view (diagnostic order)
These links are generated from site_map rules in recommended diagnostic order.
- CSP Builder — Build CSP policies from templates
- Security Headers Fix Plan — Create a prioritized header-fix plan
- CSP Inspect — Parse and evaluate CSP directives
- Security Headers Recommendation — Suggest recommended values for missing headers
- Security Headers Audit — Audit presence of major security headers
- CSP Report Analyzer — Analyze CSP report JSON and summarize violation patterns
- HSTS Inspect — Parse HSTS to verify HTTPS enforcement
- Permissions-Policy Inspect — Parse Permissions-Policy and review feature restrictions
Same-theme links
Security Headers
Go from missing-header detection to concrete fix planning
- Security Headers Audit — Audit presence of major security headers
- Security Headers Recommendation — Suggest recommended values for missing headers
- Security Headers Fix Plan — Create a prioritized header-fix plan
- CSP Builder — Build CSP policies from templates
- CSP Report Analyzer — Analyze CSP report JSON and summarize violation patterns
- CSP Inspect — Parse and evaluate CSP directives
- HSTS Inspect — Parse HSTS to verify HTTPS enforcement
- Permissions-Policy Inspect — Parse Permissions-Policy and review feature restrictions
- Referrer-Policy Inspect — Parse Referrer-Policy and check referrer exposure
- X-Frame-Options Inspect — Parse X-Frame-Options to validate clickjacking protection
- X-Content-Type-Options Inspect — Parse X-Content-Type-Options and validate nosniff
Example
alert('hello');