Is my file uploaded anywhere?

No. The file is read in your browser with the FileReader/ArrayBuffer API and hashed locally with Web Crypto. No bytes are sent to any server, which is why large files hash without any network activity.

Which hash should I trust for security?

Use SHA-256. SHA-1 and MD5 are included for verifying legacy downloads that only publish those checksums, but both are cryptographically broken and must not be relied on to prove a file has not been maliciously modified.

Why is MD5 computed differently from SHA-256?

The Web Crypto API does not provide MD5, so this tool implements MD5 (RFC 1321) in pure JavaScript. SHA-256 and SHA-1 use the browser's native crypto.subtle.digest for speed and correctness.

What does a checksum mismatch mean?

It means the file you have is not byte-for-byte identical to the one whose hash was published. The most common causes are an interrupted or corrupted download, a different version of the file, or deliberate tampering.

Can I hash very large files?

Yes, within your browser's available memory. The tool loads the whole file into an ArrayBuffer, so extremely large files (several GB) may be limited by RAM, but typical downloads of a few hundred MB hash quickly.

Local File Hash Generator (SHA-256/SHA-1/MD5)

A file checksum is a fixed-length fingerprint computed from every byte of a file. If even one bit changes, the checksum changes completely, which makes hashes the standard way to confirm a download is intact and unmodified. This tool computes SHA-256, SHA-1, and MD5 for any file you select — entirely inside your browser, with nothing uploaded.

How it works

When you choose a file, the browser reads its raw bytes into an ArrayBuffer:

SHA-256 and SHA-1 are produced by the native Web Crypto API call crypto.subtle.digest(...), which is fast and constant-time.
MD5 is not offered by Web Crypto, so it is computed with a pure-JavaScript implementation of the RFC 1321 algorithm (padding, 64-round compression, little-endian output).
Each digest is rendered as a lowercase hexadecimal string.

Because the bytes never leave the page, you can safely hash confidential files without exposing them to a server.

Example and notes

A download page lists SHA-256: e3b0c442.... Drop the downloaded file here, read the SHA-256 value, and compare. If they match character-for-character, the file is authentic and undamaged. If they differ, re-download or treat the file as untrusted.

Prefer SHA-256 whenever you have the choice — collisions have been demonstrated for both MD5 and SHA-1, so they should only be used to verify legacy artifacts that publish nothing stronger.