Memorable Password Generator â DicewareâStyle Passphrases
Generate strong yet memorable passphrases from a large wordlist. Choose the number of words and include a number or symbol for extra security.
UD5 Toolkit
Generate strong yet memorable passphrases from a large wordlist. Choose the number of words and include a number or symbol for extra security.
Enter a suspicious link and this tool performs a clientâside check against public threat intelligence feeds. See risk category before you click.
Paste the content of a JavaScript or CSS file and get its SHAâ256, SHAâ384, or SHAâ512 integrity hash. Build the full <script> tag with crossorigin.
Generate cryptographically secure random strings suitable for API keys, secrets, and tokens. Choose length and character set (hex, base64, alphanumeric).
Validate the syntax of an SPF record, check for the 10âlookup limit, and flatten nested includes. Improve email deliverability by fixing SPF errors.
Generate a dummy RSA or EC public/private key pair for educational visualization. Shows key structure and ASN.1 dump. Not for production use.
Enter a CDN URL for a script or style and generate the integrity attribute with sha384 or sha512. Protect your site.
Test a regular expression against malicious inputs to detect catastrophic backtracking and ReDoS vulnerabilities. Educational.
Paste a URL or HTML to detect known vulnerable JavaScript library versions. Quick security audit. Clientâside only.
Paste an SSL certificate and private key to verify they belong together. Check if a CSR matches a private key. All local crypto.
Test your device's builtâin biometric (Touch ID, Face ID, Windows Hello) using the Web Authentication API. Register and verify.
Enter a router's MAC address or serial and generate the common default WPA passphrase for major ISP brands. Educational purpose only.
Drop a PDF and extract any embedded JavaScript or form actions. Check for malicious code. Privacyâfriendly analysis.
Generate strong random strings for API tokens, session secrets, or encryption keys. Uses crypto.getRandomValues().
Write notes that are encrypted in your browser before saving to localStorage. Only accessible with your passphrase.
Enter a password and see the estimated time it would take to crack using brute force at different speeds. Educational.
Define password rules and see a live checklist that updates as you type. Design better password UX for your app.
Paste an ASCIIâarmored PGP message and view its packet structure. See the encrypted/plaintext blocks without decrypting.
Paste a hash and the tool guesses which algorithm created it based on length and format. Useful for forensic analysis.
Test SQL injection inputs on a mock database and see the resulting query. Learn how to prevent SQLi. No real data.
Paste a potential XSS vector and see if it executes in a sandboxed iframe. For security researchers and education.
Enter a website and check which security headers (HSTS, CSP, XâFrameâOptions) are present. Get a security grade.
Paste text and instantly see if it contains hidden zeroâwidth characters often used in steganography. Reveal invisible payloads.
Send a test CSP violation report and see the ReportingObserver in action. Understand how monitoring works.
Remove all EXIF, IPTC, and XMP metadata from your photos. Strip GPS location. Protect your privacy before upload.
Paste text or drop a file and get checksums in multiple formats simultaneously. Compare with original. All local.
Generate a BLAKE3 hash of any text or file. Extremely fast. Perfect for checksums and content addressing. Local.
Generate SHAâ3 and SHAKE hashes of any text with configurable output length. All local using js library.
Sign a message with a private key and verify the signature with the public key. Learn digital signature flow.
Generate cryptographic key pairs using the Web Crypto API. Export as JWK or raw. No server needed; pure security.
Use the new Sanitizer API to safely insert raw HTML into the DOM. Blocks malicious tags. Experimental demo.
See how Trusted Types prevents unsafe HTML assignment. Test against injected scripts. Modern security practice.
Remove all EXIF data (GPS, camera info) from a JPEG before uploading. Processed locally. Protect your privacy.
Enter a domain and see its SSL certificate details: issuer, validity dates, and chain. Clientâside fetch.
Check if a password appears in the Have I Been Pwned database using kâAnonymity. Only the first 5 characters of the hash are sent.
Generate SHAâ1, SHAâ256, SHAâ512, and SHAâ3 digests of any text or file. Verify integrity. All in your browser.
Generate a bcrypt hash from a password with configurable salt rounds. Verify a password against a hash. Entirely clientâside.
Encrypt and decrypt text using AES in the browser with a password. Uses Web Crypto API. No data sent to server.
Check which cipher suites a website supports and identify weak or outdated ones. Quick security audit from your browser.
Paste a JWT and a public key or secret to verify the signature. Supports HS256, RS256, ES256. All operations local.
Paste a PEM/DER certificate and decode all fields: issuer, subject, validity, SANs, and fingerprint. Pure JavaScript parser.
Paste raw email headers and see authentication results (SPF, DKIM, DMARC) in a readable table. Find spoofing attempts.
Validate a DNSSEC chain by entering DS and RRSIG records. Verify that signatures match. Educational. Local algorithm.
Paste the PermissionsâPolicy header and get a humanâreadable table of allowed/blocked browser features. Understand how your site is restricted.
Test if a script or style will be allowed by a given CSP. Compute hash/nonce. Strengthen your siteâs defense against XSS. Local.
Paste a raw WebAuthn attestation response (CBOR) and decode its fields: format, authenticator data, and extensions. Debug passkeys locally.
Issue and redeem Private State Tokens (formerly Trust Tokens). Understand how they help detect bots without cookies.
Create a passkey and authenticate using the Web Authentication API. Supports platform authenticators (TouchID, FaceID). No server.
Check if a URL can be embedded in an iframe. Test your siteâs defense against clickjacking. Browserâbased.
Fetch a siteâs HSTS header and validate its syntax, maxâage, and subdomain flags. Ensure your site enforce HTTPS.
Check if your site is crossâorigin isolated by examining the COOP and COEP headers. See if SharedArrayBuffer is available.
Paste a ContentâSecurityâPolicy header and get a humanâreadable breakdown. See potential risks and suggestions.
Configure browser feature permissions (camera, microphone, geolocation) and generate the PermissionsâPolicy HTTP header.
Derive a strong cryptographic key from a password using PBKDF2 with SHAâ256. Adjust iterations and salt. Educational and test tool.
Generate a selfâsigned X.509 certificate and private key for local development. All created in your browser. No server involved.
Create a CAA DNS record to specify which certificate authorities can issue SSL certs for your domain. Prevent misâissuance.
Generate Argon2id hashes in the browser using a WASM compilation. Choose memory, iterations, and parallelism. Secure local hashing.
Hash passwords using the bcrypt algorithm with configurable cost factor. Also verify a password against a stored hash. All local.
Create an HMAC (Hashâbased Message Authentication Code) using SHAâ256 or SHAâ512 with a secret key. Verify data integrity. Local.
Encrypt and decrypt text using the browser's Web Crypto API. Supports AESâGCM and subtle key generation. No server required.