HTTP Security Header Checker - Online HSTS, CSP, X-Frame Analysis
Paste response headers string and get a security audit. Check presence and configuration of key security headers. Local analysis.
UD5 Toolkit
—
Generate a cryptographically random nonce for CSP.
—
script-src 'nonce-...'
Enter a CSP header to see analysis.
script-src directive. Browsers will then only execute inline scripts whose hash matches one in the policy, effectively blocking XSS.
nonce attribute on the script tag. Hashes, on the other hand, work best for static inline scripts that rarely change.
'unsafe-inline' and 'unsafe-eval', restrict sources to exact origins, define object-src 'none', and consider using 'strict-dynamic' with nonces/hashes. Always include a report-uri or report-to directive to monitor violations. Our evaluator helps identify such misconfigurations.
script-src directive like this: script-src 'sha256-xyz...';. If you use 'strict-dynamic', the hash allows the inline script and also enables loading of other scripts dynamically added by that script. Remember to base64-encode the hash (as we output) and include the prefix.
Content-Security-Policy header value into the evaluator, and click “Evaluate Security”. You'll get a breakdown of each directive and a security score. It highlights dangerous keywords like 'unsafe-inline' and missing directives.
Paste response headers string and get a security audit. Check presence and configuration of key security headers. Local analysis.
Calculate the entropy (in bits) of a password based on character pool size and length. Visual strength meter with crack time estimation. Local only.
Test a regular expression against malicious inputs to detect catastrophic backtracking and ReDoS vulnerabilities. Educational.
Paste a URL or HTML to detect known vulnerable JavaScript library versions. Quick security audit. Client‑side only.
Drop a PDF and extract any embedded JavaScript or form actions. Check for malicious code. Privacy‑friendly analysis.
Test SQL injection inputs on a mock database and see the resulting query. Learn how to prevent SQLi. No real data.
Paste a potential XSS vector and see if it executes in a sandboxed iframe. For security researchers and education.
Enter a website and check which security headers (HSTS, CSP, X‑Frame‑Options) are present. Get a security grade.
Send a test CSP violation report and see the ReportingObserver in action. Understand how monitoring works.
Use the new Sanitizer API to safely insert raw HTML into the DOM. Blocks malicious tags. Experimental demo.
See how Trusted Types prevents unsafe HTML assignment. Test against injected scripts. Modern security practice.
Validate a DNSSEC chain by entering DS and RRSIG records. Verify that signatures match. Educational. Local algorithm.
Paste the Permissions‑Policy header and get a human‑readable table of allowed/blocked browser features. Understand how your site is restricted.
Create a passkey and authenticate using the Web Authentication API. Supports platform authenticators (TouchID, FaceID). No server.
Check if a URL can be embedded in an iframe. Test your site’s defense against clickjacking. Browser‑based.
Fetch a site’s HSTS header and validate its syntax, max‑age, and subdomain flags. Ensure your site enforce HTTPS.
Paste a Content‑Security‑Policy header and get a human‑readable breakdown. See potential risks and suggestions.
Configure browser feature permissions (camera, microphone, geolocation) and generate the Permissions‑Policy HTTP header.
Convert plain text into HTML‑safe strings by escaping <, >, &, and quotes. Insert into code safely. Local copy.
Build an iframe with different sandbox flags and see live which features are blocked. For secure embedding.
Instantly convert plain text into HTML‑safe escaped characters for secure display in web pages. Prevent cross‑site scripting. All processing local.
Strip dangerous HTML tags and attributes (scripts, onclick) to prevent XSS attacks. Safe iframe preview. Local sanitation engine.
Paste email headers or body text to quickly spot phishing signs, suspicious domains, and obfuscated links. Educational and private.
Escape HTML special characters to prevent XSS attacks, or unescape HTML entities back to original text. Essential for web developers. Runs locally.
Evaluate the strength of your passwords with a visual meter and detailed feedback. Check for length, complexity, and breached passwords. All analysis is client-side.
Generate ultra-secure, random passwords with configurable length and character sets. Created entirely on your device; never transmitted or stored.