🛡️ CSP Integrity active — hashes of loaded scripts are reported to Report URI
← All demos · CSP Integrity

CSP Integrity

See how the CSP 'report-sha256' keyword sends the hash of every loaded script to Report URI — giving you cryptographic proof of exactly what code ran on your page.

⚪ Unprotected 🟢 Protected
CSP Integrity active — the hash of every loaded script is reported to Report URI

Third-party script loading with hash reporting

The script still loads and runs — but the browser now reports its hash to Report URI so you know exactly what code executed

✅ Hash reporting active. The 'report-sha256' keyword in script-src instructs the browser to include the sha256 hash of every script it loads in the report sent to Report URI. The script is not blocked — it loads as normal. The difference is that you now have a cryptographic record of exactly what code ran.
Third-party script status

https://evil-cyber-hacker.com/demo/library.js

Waiting for script…
CSP header sent with this page
Content-Security-Policy: default-src 'self'; script-src 'self' 'report-sha256' https://evil-cyber-hacker.com; style-src 'self'; report-uri https://helios.report-uri.com/r/t/csp/enforce; report-to default
What 'report-sha256' does

'report-sha256' is a script-src keyword that instructs the browser to compute the sha256 hash of every script it loads and include that hash in the CSP report sent to your reporting endpoint. The script still loads and runs — this is about visibility, not blocking. If the file on the third-party server is ever modified, the hash in the next report will differ from the known-good value, giving you a real-time signal that something has changed.

Example CSP hash report (sent by the browser)
{
  "csp-hash": {
    "destination": "script",
    "documentURL": "https://report-uri-demo.com/csp-integrity/?protected",
    "hash": "sha256-Ay4ULFZ80TqgOvkYTt3V5bc4EGYlt7QLVNSDSLcMMx8=",
    "subresourceURL": "https://evil-cyber-hacker.com/demo/library.js",
    "type": "subresource"
  }
}