HTTP Security Header Checker - Online HSTS, CSP, X-Frame Analysis
Paste response headers string and get a security audit. Check presence and configuration of key security headers. Local analysis.
UD5 Toolkit
Paste a Permissions-Policy (formerly Feature-Policy) HTTP header to decode and inspect permissions for your site.
(self "https://example.com").
Enter a header value and click Parse to see decoded directives.
| Directive | Description | Example | Default |
|---|---|---|---|
camera |
Controls access to video input devices | camera=(self) |
All origins allowed |
microphone |
Controls access to audio input devices | microphone=() |
All origins allowed |
geolocation |
Controls access to Geolocation API | geolocation=(self "https://maps.example.com") |
All origins allowed |
fullscreen |
Controls ability to use Fullscreen API | fullscreen=* |
All origins allowed |
interest-cohort |
Controls FLoC tracking (Privacy Sandbox) | interest-cohort=() |
Allowed (opt out recommended) |
accelerometer, gyroscope, magnetometer |
Controls sensor APIs | accelerometer=() |
All origins allowed |
Permissions-Policy header (formerly Feature-Policy) allows a website to control which browser features and APIs can be used by the current page and embedded iframes. It helps improve security and privacy by restricting sensitive capabilities like camera, microphone, geolocation, etc.
Feature-Policy was the original header, but it has been replaced by Permissions-Policy. The new header uses a simpler syntax (directive=() instead of directive 'none') and is now the standard. Browsers will gradually drop support for Feature-Policy.
() means the feature is completely blocked for the current origin and all embedded contexts. For example, camera=() disables camera access entirely.
* means the feature is allowed for all origins (both same-origin and cross-origin iframes). However, use it cautiously because it may weaken your site's security posture.
Permissions-Policy HTTP response header (from browser DevTools → Network tab) and paste it into the input field above. Click Parse Header to see a clear breakdown of what each directive allows or blocks.
Paste response headers string and get a security audit. Check presence and configuration of key security headers. Local analysis.
Paste a SQL CREATE TABLE statement and extract just the column names as a CSV header row. For data migration.
Test a regular expression against malicious inputs to detect catastrophic backtracking and ReDoS vulnerabilities. Educational.
Drop a WAV file and see its full header: sample rate, bit depth, channels, and chunk structure. Raw bytes explained.
Drop a PDF and extract any embedded JavaScript or form actions. Check for malicious code. Privacy‑friendly analysis.
Test SQL injection inputs on a mock database and see the resulting query. Learn how to prevent SQLi. No real data.
Paste a potential XSS vector and see if it executes in a sandboxed iframe. For security researchers and education.
Send conditional requests to a URL and verify that the server correctly handles ETag and If‑None‑Match. Audit caching.
Scroll a container and see how sticky elements behave. Adjust top, bottom, and scroll margins. Copy the code.
Paste a `Set‑Cookie` header and see all attributes parsed: domain, path, Max‑Age, SameSite, Secure, HttpOnly. Debug cookies easily.
Validate a DNSSEC chain by entering DS and RRSIG records. Verify that signatures match. Educational. Local algorithm.
Check if a URL can be embedded in an iframe. Test your site’s defense against clickjacking. Browser‑based.
Fetch a site’s HSTS header and validate its syntax, max‑age, and subdomain flags. Ensure your site enforce HTTPS.
Paste a Content‑Security‑Policy header and get a human‑readable breakdown. See potential risks and suggestions.
Configure browser feature permissions (camera, microphone, geolocation) and generate the Permissions‑Policy HTTP header.
Drop or paste an .ics file and see all events in a readable table. Check dates, times, and locations. Privacy‑friendly.
Parse a Snowflake ID (used by Discord, Twitter) into its timestamp, worker, and sequence components. Instant local decoding.
Paste a human‑readable date (like 'next Friday' or 'March 5, 2023') and convert it to ISO 8601 format. Quick and tolerant.
Build an iframe with different sandbox flags and see live which features are blocked. For secure embedding.
Instantly convert plain text into HTML‑safe escaped characters for secure display in web pages. Prevent cross‑site scripting. All processing local.
Paste a raw server log snippet and see a structured table with IP, method, URL, and status. Quick audit.
Paste a raw cookie string and see a formatted key‑value table. Debug session cookies and understand flags. Runs in browser.
Strip dangerous HTML tags and attributes (scripts, onclick) to prevent XSS attacks. Safe iframe preview. Local sanitation engine.
Paste raw email headers and get a human-readable breakdown of the delivery route, authentication results, and delays. Private analysis.
Paste email headers or body text to quickly spot phishing signs, suspicious domains, and obfuscated links. Educational and private.
Parse a URL's query string into a key-value table, or build a query string from parameters. Perfect for API testing and web development.
Evaluate the strength of your passwords with a visual meter and detailed feedback. Check for length, complexity, and breached passwords. All analysis is client-side.
Paste a user agent string to get a human-readable breakdown of browser, operating system, and device. See your own current agent info automatically.
Describe cron schedule expressions in plain English and test future execution times. Indispensable for DevOps and backend developers. Local analysis.
Generate ultra-secure, random passwords with configurable length and character sets. Created entirely on your device; never transmitted or stored.