Regex Injection / ReDoS Tester - Online Safe Pattern Test
Test a regular expression against malicious inputs to detect catastrophic backtracking and ReDoS vulnerabilities. Educational.
UD5 Toolkit
Check & analyze HTTP Strict‑Transport‑Security headers for any website. Ensure your domain enforces HTTPS properly.
Fetching headers from target URL...
This may take a few secondsUnable to retrieve headers from this URL.
Waiting for analysis...
HTTP Strict Transport Security (HSTS) is a web security policy mechanism that helps protect websites against protocol downgrade attacks and cookie hijacking. It forces browsers to interact with the website exclusively over HTTPS.
max-age directive specifies (in seconds) how long the browser should remember that the site must only be accessed via HTTPS. Common values: 31,536,000 (1 year), 63,072,000 (2 years). A longer max-age provides better security. Google's HSTS preload list requires a minimum max-age of 1 year (31,536,000 seconds), with 2 years recommended.
includeSubDomains directive extends the HSTS policy to all subdomains of the main domain. For example, if example.com sets HSTS with includeSubDomains, then blog.example.com, api.example.com, and all other subdomains must also be accessed via HTTPS. This prevents attackers from targeting unprotected subdomains.
preload directive to your header and submit your domain at hstspreload.org. Requirements: valid certificate, redirect HTTP→HTTPS on the same host, all subdomains covered, and max-age ≥ 1 year.
strict-transport-security in Response Headers; (3) Visit hstspreload.org to check preload status; (4) Use command-line tools like curl -I https://yoursite.com and look for the header.
add_header Strict-Transport-Security "max-age=63072000; includeSubDomains; preload" always;Header always set Strict-Transport-Security "max-age=63072000; includeSubDomains; preload"helmet middleware — app.use(helmet.hsts({ maxAge: 63072000, includeSubDomains: true, preload: true })).
Test a regular expression against malicious inputs to detect catastrophic backtracking and ReDoS vulnerabilities. Educational.
Drop a WAV file and see its full header: sample rate, bit depth, channels, and chunk structure. Raw bytes explained.
Check if the browser has captured the beforeinstallprompt event. Understand why your PWA is (or isn't) installable.
Send conditional requests to a URL and verify that the server correctly handles ETag and If‑None‑Match. Audit caching.
Scroll a container and see how sticky elements behave. Adjust top, bottom, and scroll margins. Copy the code.
Check if a password appears in the Have I Been Pwned database using k‑Anonymity. Only the first 5 characters of the hash are sent.
Check which cipher suites a website supports and identify weak or outdated ones. Quick security audit from your browser.
Validate a DNSSEC chain by entering DS and RRSIG records. Verify that signatures match. Educational. Local algorithm.
Enter an API URL and quickly check its HTTP status code and response time. See response headers and body. Browser fetch.
Type any character and see how it renders in different font stacks. Detect missing glyphs and fallback behavior.
Enter a URL and get a one‑page report of titles, description, headings, image alts, and broken links. All from browser.
Look at HTTP headers and JavaScript objects to guess which browser extensions might be installed. For awareness.
Build an iframe with different sandbox flags and see live which features are blocked. For secure embedding.
Enter a package name and version range to see all satisfying versions from the registry. Understand ^ and ~.
Check if an IBAN has the correct length and structure for its country. Early validation, no bank connection.
Drop an image that might have wrong extension and see its real format (JPEG, PNG, WebP) based on header bytes.
Enter a URL and see its favicon at all standard sizes. Check if it's properly defined. SEO basic check.
Trace the full redirect path of a URL. See every hop, status code, and final destination. Detect broken chains.
Paste your email body and subject, and get a spam score based on common trigger words and patterns. Improve your cold outreach.
Type a word to see all its homophones with definitions. Avoid embarrassing mistakes (their/there/they’re). Static dictionary.
Enter a year to check if it is a leap year. Shows the rule explanation and next/previous leap years. Simple reference.
Find out if a word is an isogram (no repeating letters). Different types: first-order, second-order. Word nerd fun.
Check if a word or phrase is a palindrome (reads same forward and backward). Live validation and fun facts.
Preview the Gravatar image associated with any email address. Generate the correct Gravatar URL. Handy for avatar debugging.
Check if a website is globally reachable or experiencing issues. Status code and latency displayed. Quick browser-side test.
Strip dangerous HTML tags and attributes (scripts, onclick) to prevent XSS attacks. Safe iframe preview. Local sanitation engine.
Paste email headers or body text to quickly spot phishing signs, suspicious domains, and obfuscated links. Educational and private.
Enter a URL and see the full HTTP response headers returned by the server. Detect redirects and server type. Useful for SEO and web debugging.
Evaluate the strength of your passwords with a visual meter and detailed feedback. Check for length, complexity, and breached passwords. All analysis is client-side.
Generate ultra-secure, random passwords with configurable length and character sets. Created entirely on your device; never transmitted or stored.