DevBolt
Processed in your browser. Your data never leaves your device.

How do I calculate a file hash (checksum) online?

Drag and drop any file to instantly compute its MD5, SHA-1, SHA-256, SHA-384, and SHA-512 hashes. Use Verify mode to paste an expected hash and check if it matches. File hashing uses the Web Crypto API and runs entirely in your browser — your files never leave your device.

Calculate SHA-256 of a file
Input
[document.pdf]
Size: 2.4 MB
Output
SHA-256: 9f86d081884c7d659a2f...
MD5: 098f6bcd4621d373cade4e832627b4f6
SHA-1: a94a8fe5ccb19ba61c4c0873d391e987982fbbd3
← Back to tools

File Hash Calculator

Drag and drop a file to compute MD5, SHA-1, SHA-256, SHA-384, and SHA-512 hashes. Verify file integrity by comparing against an expected hash. All processing happens in your browser.

Drop a file here or click to browseAny file type, up to 2 GB
About File Hash Calculator

A file hash (or checksum) is a fixed-size string computed from the contents of a file. Even a tiny change to the file produces a completely different hash, making hashes ideal for verifying file integrity — for example, confirming a download wasn't corrupted or tampered with.

MD5produces a 128-bit hash. While no longer recommended for security purposes, it's still widely used for quick integrity checks and is commonly listed on download pages.

SHA-1produces a 160-bit hash. It's used in Git for commit IDs and some legacy systems, but is considered weak for cryptographic purposes.

SHA-256is the modern standard for file verification, producing a 256-bit hash. It's used by package managers, software distributors, and blockchain systems.

SHA-384 and SHA-512 provide even longer hashes (384 and 512 bits respectively) for applications that require extra collision resistance.

All hashing is performed entirely in your browser using the Web Crypto API (SHA) and a pure JavaScript implementation (MD5). Your files are never uploaded to any server.

Tips & Best Practices

Pro Tip

SHA-256 is the standard for file integrity verification

SHA-256 balances speed and collision resistance for file verification. MD5 is fast but broken for security purposes. SHA-1 has known collision attacks. SHA-512 adds marginal security for significantly more computation. SHA-256 is the sweet spot.

Common Pitfall

Hash comparison must be constant-time to prevent timing attacks

Comparing hashes with === in JavaScript short-circuits on the first different byte, leaking information about how many bytes matched. For security-critical comparisons, use crypto.timingSafeEqual() or a constant-time comparison function.

Real-World Example

Verify downloaded files by comparing hashes from the publisher

Software publishers provide SHA-256 checksums alongside downloads. After downloading, hash the file and compare. If the hashes don't match, the file was corrupted in transit or tampered with. This catches supply-chain attacks.

Security Note

MD5 should never be used for security — only legacy compatibility

MD5 collision attacks are practical — researchers generated two different PDF files with the same MD5 hash in 2005. Use SHA-256 minimum for integrity verification. MD5 is only acceptable for non-security checksums like cache busting.

Frequently Asked Questions

How do I verify a file's checksum using a hash?
Drag and drop your file into DevBolt's File Hash Calculator and it generates MD5, SHA-1, SHA-256, SHA-384, and SHA-512 hashes instantly. To verify integrity, compare the generated hash against the checksum provided by the source. The tool includes a verify mode where you paste the expected hash and it highlights whether the comparison passes or fails. All hashing runs client-side using the Web Crypto API, so your files never leave your device. This workflow is essential for verifying software downloads, firmware images, and ISO files.
What is the difference between MD5, SHA-1, and SHA-256 for file hashing?
MD5 produces a 128-bit (32-character hex) hash and is fast but cryptographically broken. SHA-1 produces a 160-bit (40-character) hash and is also insecure after demonstrated collision attacks in 2017. SHA-256 produces a 256-bit (64-character) hash and remains cryptographically secure, making it the standard choice for file integrity verification. For simple corruption detection where deliberate tampering is not a concern, MD5 is sufficient and faster. For anything involving security or trust verification, use SHA-256 or SHA-512.
Is it safe to hash sensitive files in a browser-based tool?
Yes, when the tool processes files entirely client-side. DevBolt's File Hash Calculator reads your file using the browser's FileReader API and computes hashes locally with the Web Crypto API. No file data is uploaded to any server. You can verify this by monitoring the Network tab during hashing. The file contents exist only in your browser's memory and are released when you close the page. This makes it safe for hashing confidential documents, proprietary builds, and any files containing sensitive data.

Related Inspect Tools

{ }

JSON Visualizer

Visualize JSON as an interactive tree — collapsible nodes, search, path copy, depth controls, and data statistics

GDV

Git Diff Viewer

Paste unified diff output from git diff and view it with syntax highlighting, line numbers, and side-by-side or inline display

ZIP

Compression Tester

Test and compare Brotli, Gzip, and Deflate compression ratios for text content — sizes, savings, and speed

TS6

TypeScript 6.0 Migration Checker

Analyze your tsconfig.json for TS 6.0 breaking changes, deprecated options, new defaults, and get a readiness grade with fixes