HTTP Security Header Checker - Online HSTS, CSP, X-Frame Analysis
Paste response headers string and get a security audit. Check presence and configuration of key security headers. Local analysis.
UD5 Toolkit
Register & Authenticate using biometrics, security keys, or platform authenticators
Create a passkey or register a security key
Sign in using a previously registered credential
example.com will never work on phishing-site.com. Additionally, private keys never leave the authenticator, making server-side database breaches useless for impersonation. No shared secrets are ever transmitted.
Paste response headers string and get a security audit. Check presence and configuration of key security headers. Local analysis.
Calculate the entropy (in bits) of a password based on character pool size and length. Visual strength meter with crack time estimation. Local only.
Test a regular expression against malicious inputs to detect catastrophic backtracking and ReDoS vulnerabilities. Educational.
Paste a URL or HTML to detect known vulnerable JavaScript library versions. Quick security audit. Client‑side only.
Test your device's built‑in biometric (Touch ID, Face ID, Windows Hello) using the Web Authentication API. Register and verify.
Drop a PDF and extract any embedded JavaScript or form actions. Check for malicious code. Privacy‑friendly analysis.
Test SQL injection inputs on a mock database and see the resulting query. Learn how to prevent SQLi. No real data.
Paste a potential XSS vector and see if it executes in a sandboxed iframe. For security researchers and education.
See how Trusted Types prevents unsafe HTML assignment. Test against injected scripts. Modern security practice.
Validate a DNSSEC chain by entering DS and RRSIG records. Verify that signatures match. Educational. Local algorithm.
Paste the Permissions‑Policy header and get a human‑readable table of allowed/blocked browser features. Understand how your site is restricted.
Test if a script or style will be allowed by a given CSP. Compute hash/nonce. Strengthen your site’s defense against XSS. Local.
Paste a raw WebAuthn attestation response (CBOR) and decode its fields: format, authenticator data, and extensions. Debug passkeys locally.
Check if a URL can be embedded in an iframe. Test your site’s defense against clickjacking. Browser‑based.
Fetch a site’s HSTS header and validate its syntax, max‑age, and subdomain flags. Ensure your site enforce HTTPS.
Paste a Content‑Security‑Policy header and get a human‑readable breakdown. See potential risks and suggestions.
Configure browser feature permissions (camera, microphone, geolocation) and generate the Permissions‑Policy HTTP header.
Build an iframe with different sandbox flags and see live which features are blocked. For secure embedding.
Instantly convert plain text into HTML‑safe escaped characters for secure display in web pages. Prevent cross‑site scripting. All processing local.
Strip dangerous HTML tags and attributes (scripts, onclick) to prevent XSS attacks. Safe iframe preview. Local sanitation engine.
Paste email headers or body text to quickly spot phishing signs, suspicious domains, and obfuscated links. Educational and private.
Evaluate the strength of your passwords with a visual meter and detailed feedback. Check for length, complexity, and breached passwords. All analysis is client-side.
Generate ultra-secure, random passwords with configurable length and character sets. Created entirely on your device; never transmitted or stored.