Permissions‑Policy Header Generator - Online Security Config
Configure browser feature permissions (camera, microphone, geolocation) and generate the Permissions‑Policy HTTP header.
UD5 Toolkit
Paste a Content-Security-Policy header value or enter a URL to fetch it automatically. Identify weaknesses, get improvement suggestions, and generate a hardened policy.
.txt file or paste from clipboard.fetch. If blocked, paste the policy manually.'unsafe-inline', *), and suggests hardened alternatives to balance security and compatibility.default-src, script-src, style-src, img-src, connect-src, font-src, object-src, media-src, frame-src, worker-src, and others. Also checks for base-uri, form-action, etc.http: or data:. Low – Mostly secure with minor improvements possible.'unsafe-inline', 'unsafe-eval', replaces wildcard * with 'self', and upgrades http: to https:. It also suggests adding 'strict-dynamic' when nonces/hashes are present. Always test the generated policy before deploying.Content-Security-Policy response header. Due to browser CORS restrictions, this may not always succeed. In such cases paste the header value manually (you can copy it from DevTools → Network → Response Headers).Configure browser feature permissions (camera, microphone, geolocation) and generate the Permissions‑Policy HTTP header.
Paste response headers string and get a security audit. Check presence and configuration of key security headers. Local analysis.
Calculate the entropy (in bits) of a password based on character pool size and length. Visual strength meter with crack time estimation. Local only.
Analyze letter/symbol frequency with an interactive bar chart and heatmap. Useful for breaking simple ciphers, linguistics, and SEO keyword analysis. Local processing.
Paste a SQL CREATE TABLE statement and extract just the column names as a CSV header row. For data migration.
Test a regular expression against malicious inputs to detect catastrophic backtracking and ReDoS vulnerabilities. Educational.
Drop a WAV file and see its full header: sample rate, bit depth, channels, and chunk structure. Raw bytes explained.
Drop a PDF and extract any embedded JavaScript or form actions. Check for malicious code. Privacy‑friendly analysis.
Test SQL injection inputs on a mock database and see the resulting query. Learn how to prevent SQLi. No real data.
Paste a potential XSS vector and see if it executes in a sandboxed iframe. For security researchers and education.
Enter a website and check which security headers (HSTS, CSP, X‑Frame‑Options) are present. Get a security grade.
Send a test CSP violation report and see the ReportingObserver in action. Understand how monitoring works.
See how Trusted Types prevents unsafe HTML assignment. Test against injected scripts. Modern security practice.
Send conditional requests to a URL and verify that the server correctly handles ETag and If‑None‑Match. Audit caching.
Scroll a container and see how sticky elements behave. Adjust top, bottom, and scroll margins. Copy the code.
Enter a URL and see a waterfall of external scripts with their download size and execution time estimate. Identify performance culprits.
Validate a DNSSEC chain by entering DS and RRSIG records. Verify that signatures match. Educational. Local algorithm.
Paste the Permissions‑Policy header and get a human‑readable table of allowed/blocked browser features. Understand how your site is restricted.
Test if a script or style will be allowed by a given CSP. Compute hash/nonce. Strengthen your site’s defense against XSS. Local.
Create a passkey and authenticate using the Web Authentication API. Supports platform authenticators (TouchID, FaceID). No server.
Check if a URL can be embedded in an iframe. Test your site’s defense against clickjacking. Browser‑based.
Fetch a site’s HSTS header and validate its syntax, max‑age, and subdomain flags. Ensure your site enforce HTTPS.
Use your microphone to detect the dominant frequency of ambient sounds. Visualize the spectrum. Local Web Audio.
Build an iframe with different sandbox flags and see live which features are blocked. For secure embedding.
Instantly convert plain text into HTML‑safe escaped characters for secure display in web pages. Prevent cross‑site scripting. All processing local.
Paste text and get a rough analysis of its emotional tone (happy, sad, angry, etc.) based on keyword matching. Local.
Strip dangerous HTML tags and attributes (scripts, onclick) to prevent XSS attacks. Safe iframe preview. Local sanitation engine.
Paste email headers or body text to quickly spot phishing signs, suspicious domains, and obfuscated links. Educational and private.
Evaluate the strength of your passwords with a visual meter and detailed feedback. Check for length, complexity, and breached passwords. All analysis is client-side.
Generate ultra-secure, random passwords with configurable length and character sets. Created entirely on your device; never transmitted or stored.