Memorable Password Generator â DicewareâStyle Passphrases
Generate strong yet memorable passphrases from a large wordlist. Choose the number of words and include a number or symbol for extra security.
UD5 Toolkit
Generate strong yet memorable passphrases from a large wordlist. Choose the number of words and include a number or symbol for extra security.
Paste the content of a JavaScript or CSS file and get its SHAâ256, SHAâ384, or SHAâ512 integrity hash. Build the full <script> tag with crossorigin.
Validate the syntax of an SPF record, check for the 10âlookup limit, and flatten nested includes. Improve email deliverability by fixing SPF errors.
Generate cryptographically secure random strings suitable for API keys, secrets, and tokens. Choose length and character set (hex, base64, alphanumeric).
Generate a dummy RSA or EC public/private key pair for educational visualization. Shows key structure and ASN.1 dump. Not for production use.
Paste a URL or HTML to detect known vulnerable JavaScript library versions. Quick security audit. Clientâside only.
Paste an SSL certificate and private key to verify they belong together. Check if a CSR matches a private key. All local crypto.
Paste an ASCIIâarmored PGP message and view its packet structure. See the encrypted/plaintext blocks without decrypting.
See how Trusted Types prevents unsafe HTML assignment. Test against injected scripts. Modern security practice.
Paste text or drop a file and get checksums in multiple formats simultaneously. Compare with original. All local.
Generate a bcrypt hash from a password with configurable salt rounds. Verify a password against a hash. Entirely clientâside.
Remove all EXIF, IPTC, and XMP metadata from your photos. Strip GPS location. Protect your privacy before upload.
Generate a selfâsigned X.509 certificate and private key for local development. All created in your browser. No server involved.
Create a PGP key pair (RSA or ECC) directly in your browser with passphrase protection. Export public/private armored keys. No upload.
Sign a message with a private key and verify the signature with the public key. Learn digital signature flow.
Enter a domain and see its SSL certificate details: issuer, validity dates, and chain. Clientâside fetch.
Test your device's builtâin biometric (Touch ID, Face ID, Windows Hello) using the Web Authentication API. Register and verify.
Generate a BLAKE3 hash of any text or file. Extremely fast. Perfect for checksums and content addressing. Local.
Issue and redeem Private State Tokens (formerly Trust Tokens). Understand how they help detect bots without cookies.
Create a passkey and authenticate using the Web Authentication API. Supports platform authenticators (TouchID, FaceID). No server.
Encrypt and decrypt text using the browser's Web Crypto API. Supports AESâGCM and subtle key generation. No server required.
Enter a CDN URL for a script or style and generate the integrity attribute with sha384 or sha512. Protect your site.
Define password rules and see a live checklist that updates as you type. Design better password UX for your app.
Paste a potential XSS vector and see if it executes in a sandboxed iframe. For security researchers and education.
Send a test CSP violation report and see the ReportingObserver in action. Understand how monitoring works.
Create a CAA DNS record to specify which certificate authorities can issue SSL certs for your domain. Prevent misâissuance.
Convert plain text into HTMLâsafe strings by escaping <, >, &, and quotes. Insert into code safely. Local copy.
Write notes that are encrypted in your browser before saving to localStorage. Only accessible with your passphrase.
Paste a hash and the tool guesses which algorithm created it based on length and format. Useful for forensic analysis.
Remove all EXIF data (GPS, camera info) from a JPEG before uploading. Processed locally. Protect your privacy.
Test if a script or style will be allowed by a given CSP. Compute hash/nonce. Strengthen your siteâs defense against XSS. Local.
Create a DMARC policy record with percentage, reporting addresses, and alignment mode. Validate and copy the final DNS TXT.
Generate a DKIM DNS record from a public key and selector. Check syntax. Improve your domainâs email deliverability.
Enter a suspicious link and this tool performs a clientâside check against public threat intelligence feeds. See risk category before you click.
Generate SHAâ1, SHAâ256, SHAâ512, and SHAâ3 digests of any text or file. Verify integrity. All in your browser.
Paste raw email headers and see authentication results (SPF, DKIM, DMARC) in a readable table. Find spoofing attempts.
Paste a JSON Web Token and decode its header and payload. Verify signature if you provide the secret. Fully local.
Create a custom cookie consent banner with text, button styles, and colors. Copy the readyâtoâuse HTML/CSS/JS snippet.
Paste a JWT and a public key or secret to verify the signature. Supports HS256, RS256, ES256. All operations local.
Paste a raw WebAuthn attestation response (CBOR) and decode its fields: format, authenticator data, and extensions. Debug passkeys locally.
Configure browser feature permissions (camera, microphone, geolocation) and generate the PermissionsâPolicy HTTP header.
Derive a strong cryptographic key from a password using PBKDF2 with SHAâ256. Adjust iterations and salt. Educational and test tool.
Generate Argon2id hashes in the browser using a WASM compilation. Choose memory, iterations, and parallelism. Secure local hashing.
Tell if your password has appeared in data breaches without sending the full password. Uses hash prefix locally.
Test SQL injection inputs on a mock database and see the resulting query. Learn how to prevent SQLi. No real data.
Enter a website and check which security headers (HSTS, CSP, XâFrameâOptions) are present. Get a security grade.
Check if a URL can be embedded in an iframe. Test your siteâs defense against clickjacking. Browserâbased.
Generate SHAâ3 and SHAKE hashes of any text with configurable output length. All local using js library.
Use the new Sanitizer API to safely insert raw HTML into the DOM. Blocks malicious tags. Experimental demo.
Paste a PEM/DER certificate and decode all fields: issuer, subject, validity, SANs, and fingerprint. Pure JavaScript parser.
Paste a ContentâSecurityâPolicy header and get a humanâreadable breakdown. See potential risks and suggestions.
Hash passwords using the bcrypt algorithm with configurable cost factor. Also verify a password against a stored hash. All local.
Generate a CSR and private key pair in the browser using the Web Crypto API. Download both as files. No data sent to server.
Enter a password and see the estimated time it would take to crack using brute force at different speeds. Educational.
Generate cryptographic key pairs using the Web Crypto API. Export as JWK or raw. No server needed; pure security.
Encrypt and decrypt text using AES in the browser with a password. Uses Web Crypto API. No data sent to server.
Create an HMAC (Hashâbased Message Authentication Code) using SHAâ256 or SHAâ512 with a secret key. Verify data integrity. Local.
Generate cryptographically secure BIP39 mnemonic phrases (12 or 24 words) for HD wallet seeds. All entropy generated locally.
Define minimum length, uppercase, digits, special chars, and check if a password meets your custom policy. Instant feedback.
Check if your site is crossâorigin isolated by examining the COOP and COEP headers. See if SharedArrayBuffer is available.