Content Security Policy Evaluator - Online Hash & Nonce Check
Test if a script or style will be allowed by a given CSP. Compute hash/nonce. Strengthen your site’s defense against XSS. Local.
UD5 Toolkit
Analyze HSTS, CSP, X-Frame-Options & more in seconds. Detect missing security headers and fix your website’s configuration.
| Security Header | Status | Value / Recommendation | Risk |
|---|
Test if a script or style will be allowed by a given CSP. Compute hash/nonce. Strengthen your site’s defense against XSS. Local.
Look at HTTP headers and JavaScript objects to guess which browser extensions might be installed. For awareness.
Test a regular expression against malicious inputs to detect catastrophic backtracking and ReDoS vulnerabilities. Educational.
Check if the browser has captured the beforeinstallprompt event. Understand why your PWA is (or isn't) installable.
Check if a password appears in the Have I Been Pwned database using k‑Anonymity. Only the first 5 characters of the hash are sent.
Check which cipher suites a website supports and identify weak or outdated ones. Quick security audit from your browser.
Validate a DNSSEC chain by entering DS and RRSIG records. Verify that signatures match. Educational. Local algorithm.
Fetch a site’s HSTS header and validate its syntax, max‑age, and subdomain flags. Ensure your site enforce HTTPS.
Enter an API URL and quickly check its HTTP status code and response time. See response headers and body. Browser fetch.
Type any character and see how it renders in different font stacks. Detect missing glyphs and fallback behavior.
Pick a method, URL, headers, and body, then send an HTTP request directly from your browser. Debug APIs easily.
Enter a URL and get a one‑page report of titles, description, headings, image alts, and broken links. All from browser.
Build an iframe with different sandbox flags and see live which features are blocked. For secure embedding.
Enter a package name and version range to see all satisfying versions from the registry. Understand ^ and ~.
Check if an IBAN has the correct length and structure for its country. Early validation, no bank connection.
Drop an image that might have wrong extension and see its real format (JPEG, PNG, WebP) based on header bytes.
Enter a URL and see its favicon at all standard sizes. Check if it's properly defined. SEO basic check.
Trace the full redirect path of a URL. See every hop, status code, and final destination. Detect broken chains.
Paste your email body and subject, and get a spam score based on common trigger words and patterns. Improve your cold outreach.
Type a word to see all its homophones with definitions. Avoid embarrassing mistakes (their/there/they’re). Static dictionary.
Enter a year to check if it is a leap year. Shows the rule explanation and next/previous leap years. Simple reference.
Find out if a word is an isogram (no repeating letters). Different types: first-order, second-order. Word nerd fun.
Check if a word or phrase is a palindrome (reads same forward and backward). Live validation and fun facts.
Preview the Gravatar image associated with any email address. Generate the correct Gravatar URL. Handy for avatar debugging.
Check if a website is globally reachable or experiencing issues. Status code and latency displayed. Quick browser-side test.
Strip dangerous HTML tags and attributes (scripts, onclick) to prevent XSS attacks. Safe iframe preview. Local sanitation engine.
Paste email headers or body text to quickly spot phishing signs, suspicious domains, and obfuscated links. Educational and private.
Enter a URL and see the full HTTP response headers returned by the server. Detect redirects and server type. Useful for SEO and web debugging.
Evaluate the strength of your passwords with a visual meter and detailed feedback. Check for length, complexity, and breached passwords. All analysis is client-side.
A complete reference of HTTP status codes with explanations. Search and filter by code or category. Useful for API developers and web debugging. Static and fast.