← back to examples

script-src hash

CSP is active on both pages. The script only runs if its content hashes to the value in the policy — any change, even a single character, produces a different hash and gets blocked. The policy allows markScriptRan(); (hash: sha256-wuuSTgG2ZH0LpHQwYQdFRdv6NSjNy54JsQIg1OdTzEk=).

Response header (same on both pages)
Content-Security-Policy: script-src 'self' 'sha256-wuuSTgG2ZH0LpHQwYQdFRdv6NSjNy54JsQIg1OdTzEk='
Inline script in page source
<script>markScriptRan();</script>
// Header allows hash: sha256-wuuSTgG2ZH0LpHQwYQdFRdv6NSjNy54JsQIg1OdTzEk=
Result
( ._.)