đź’» Developer Tools

File Checksum

Pick a file to compute its SHA-256, SHA-1, SHA-384 and SHA-512 checksum. Paste the value published by the source to verify it on the spot (tamper detection). Switch the output format to “SRI” to also generate integrity="sha384-…" attributes for CDN scripts. Large files are read in chunks with a progress bar. Everything happens on your device — files never leave it.

đź§®

Drag & drop a file, or click to choose

Any format works. Files are processed only on your device and never leave it.

How to use the file checksum tool

Drag & drop a file or click the box to choose one, and the selected algorithm (SHA-256 by default) is computed. Copy any value with the “Copy” button. Paste the source's published value into the verify field and the matching algorithm shows Match ✓ or Mismatch ✗.

Example: the SHA-256 of an empty (0-byte) file is e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855. If the SHA-256 listed on a download page exactly matches the value computed here, the download is intact and untampered. Even a single different byte changes the value drastically.

  • SHA-256: 256-bit (64 hex chars). The standard choice for tamper detection.
  • SHA-1: 160-bit (40 hex chars). For checking older artifacts; not recommended for security.
  • SHA-512: 512-bit (128 hex chars). Longer output, higher safety margin.

How this differs from text hash generation

This tool computes the checksum from the file's raw bytes. To hash a pasted string, use the Hash Generator. Large files are read in chunks so you can follow progress on the bar.

Generating SRI (Subresource Integrity) attributes

Switch the output format to “SRI” to generate the base64 integrity attribute you add to a CDN <script> or <link>. Pick app.js, for example, and you get a line like integrity="sha384-oqVuAfXRKap7fdgcCY5uykM6…" — paste it straight into the tag (along with crossorigin="anonymous"). SHA-384 is common for SRI; SHA-256 and SHA-512 are also available. SHA-1 is not valid for SRI, so it isn't output.

FAQ

Is my file sent to a server?
No. Reading and checksum calculation happen entirely in your browser (Web Crypto API). Your file is never uploaded or stored anywhere.
How is this different from text hash generation?
This tool computes the checksum from the file's raw bytes. If you want to hash a pasted string instead, use the Hash Generator. Large files are read in chunks with a progress bar.
Do you support MD5?
No. The browser's built-in Web Crypto API does not support MD5, so this tool computes SHA-256, SHA-1, SHA-384 and SHA-512 only. For tamper detection, prefer SHA-256 or stronger.
What is SRI (Subresource Integrity)?
It lets the browser verify that JS/CSS loaded from a CDN or other external source has not been tampered with. Switch the output format to SRI to generate integrity="sha384-..." attributes. Paste them into a script or link tag and the browser refuses to load files whose hash does not match.
Which hash should I use for SRI?
SHA-384 is common and strong enough. Use SHA-512 for stronger verification, or SHA-256 for compatibility. SHA-1 is not valid for SRI, so it is not output.
Can I paste the integrity attribute as is?
Yes. Each line is in the form integrity="sha384-...", so you can paste it straight into a script or link tag. Remember to add crossorigin="anonymous" too.