Browser-side defense, audited the way an assessor would.

Real TLS handshake — chain trust, expiry, negotiated version, public-key strength, and signature algorithm.

Walks an https page for http:// sub-resources. Distinguishes active (blocked) from passive (warned) mixed content.

Grades CSP, HSTS, frame protection, X-Content-Type-Options, Referrer-Policy, and Permissions-Policy. Weighted scoring with a fix list.

Pick your CSP directives, frame policy, referrer-policy, and Permissions-Policy. We emit a ready-to-paste header block for your CDN or reverse proxy.

Paste your Content-Security-Policy header. We grade every directive against modern best practice — wildcards, 'unsafe-inline', missing frame-ancestors, and the rest.

Paste your Access-Control-* headers. Catches wildcard + credentials (browser refuses), Allow-Origin: null (exploitable), and comma-separated origin lists.

Paste your Strict-Transport-Security header. We grade it against Chrome's preload-list requirements (max-age >= 1y, includeSubDomains, preload).

Per-cookie grading of Secure, HttpOnly, and SameSite — the three flags that decide whether XSS can steal sessions.

Paste a single Set-Cookie line. Decomposes name/value/attributes and grades against modern best practice (Secure, HttpOnly, SameSite, __Host-, Partitioned).

Probes redirect-shaped query parameters with an attacker-controlled destination. Fails are endpoints with no allowlist.

Decomposes a URL into scheme, host, path, query, fragment. Flags safety findings — IDN homograph attacks, suspicious ports, mismatched encoding.

One-shot reconnaissance scan. Pulls NS/MX/A/AAAA/TXT/CAA on the apex, discovers subdomains via Certificate Transparency, resolves the owning ASN per IP, and renders the whole thing as a node-link map.

Pick the CAs you trust. Emits the DNS CAA records to publish so unauthorized CAs can't issue certs for your domain.

Generate a valid /.well-known/security.txt (RFC 9116). Warns on http://, expired, or 2+ year-out Expires fields.

Decode header + payload, flag the `alg: none` exploit, show expiry status, and list claim sets. Doesn't verify signatures — that requires the secret.

MD5, SHA-1, SHA-256, SHA-384, SHA-512. Paste text or upload a file; copy any digest with one click.

Encode arbitrary bytes to base64 or base64url; decode the other way. Useful for inspecting auth headers and CSP nonces.

Percent-encode or decode in three flavors — encodeURI, encodeURIComponent, and form-urlencoded (+ for space).

Escape the five OWASP-mandated characters (or every non-ASCII). Decode named, decimal, and hex references. Detects double-encoding.

Generate v4 UUIDs in bulk; inspect a UUID's variant + version. Useful when correlating logs across services.

Entropy + time-to-crack against three attacker baselines. 100% client-side — your password never leaves the browser. Flags repeated chars, year suffixes, top-100 breach corpus.

Convert between Unix epoch (seconds/ms), ISO-8601, RFC 3339, and human-readable. Always uses UTC to avoid timezone confusion.

Paste a 5-field cron expression — we explain it in plain English and show the next 6 UTC fire times. Catches the dom/dow OR-semantics gotcha.

Compute network/broadcast, usable range, mask, and host count for any IPv4 CIDR. Handy when carving subnets for new VPCs.

Expand ::-compressed addresses to full 8-hextet form, get the RFC 5952 canonical form, classify scope, derive reverse-DNS PTR.

Pretty-print, minify, or validate any JSON. Surfaces parse errors with line + column. Stays entirely client-side.

Live regex match preview against multi-line input. Highlights matches + groups. JavaScript regex flavor; no PCRE-only features.

Compare two texts line-by-line. Side-by-side or unified view, with +/- stats. Useful for comparing two CSP headers, JSON payloads, or config files.