Security Tools
Practical security tooling for developers and pentesters: header and CSP analyzers, hash and CVSS tools, TOTP and HMAC generators, and helpers for authorized testing.
AES Encryption
Encrypt and decrypt text with AES-GCM and a password. Uses 256-bit keys derived with PBKDF2, runs entirely in your browser, and nothing is uploaded.
CSP Analyzer
Paste a Content-Security-Policy header and get it parsed into directives and audited for weaknesses, with severity and fixes. Runs in your browser.
CVSS Calculator
Calculate a CVSS v3.1 base score and severity from the eight base metrics. Build the vector string and see how each choice moves the score, in your browser.
Hash Identifier
Identify the likely hash algorithm of a string by its length, character set and prefix. Detects MD5, SHA, bcrypt and more. Runs in your browser.
HMAC Generator
Generate an HMAC for a message and secret key with SHA-1, SHA-256, SHA-384 or SHA-512. Verify webhook and API signatures, with hex or base64 output.
Htpasswd Generator
Generate an Apache .htpasswd line (username plus {SHA} or plain password) for basic auth. Hashed in your browser, nothing is uploaded.
JWT Verifier
Verify a JWT signature with HS256, HS384 or HS512 and your secret. Checks exp and nbf claims and shows the decoded header and payload. Runs in your browser.
Nmap Command Builder
Build an nmap command from friendly options and get a plain-English explanation of every flag. For systems you own or are authorized to test.
Reverse Shell Generator
Generate reverse shell one-liners for Bash, Python, PHP, Perl, Ruby, PowerShell, Netcat and Socat from an IP and port, plus the listener command.
RSA Key Generator
Generate an RSA public and private key pair in PEM format. Keys are created in your browser with the Web Crypto API and never sent anywhere.
Secret Scanner
Paste code or config to find leaked API keys, tokens and private keys using gitleaks-style signatures. Runs in your browser, nothing is uploaded.
Security Headers Analyzer
Paste raw HTTP response headers and get a graded report of your security headers, with severity ratings and copy-paste fixes. Runs in your browser.
SRI Hash Generator
Generate a Subresource Integrity hash and a ready-to-paste script or link tag from your asset contents. Hashed in your browser, nothing is uploaded.
TOTP Generator
Generate time-based one-time passwords from a base32 secret, just like an authenticator app. Test 2FA flows with live RFC 6238 codes in your browser.