Free Security Tools

Decode JWTs and catch security issues: alg:none, long-lived tokens, sensitive claims. 100% client-side signature verification.

Test any URL for CORS misconfigurations. Detects Origin reflection, null origin acceptance, and preflight failures.

Audit your Content Security Policy. Paste a CSP or fetch from URL. Graded A-F with specific fixes for unsafe-inline, wildcard sources, and more.

Scan .env files, code, or config for exposed API keys. 30+ patterns including AWS, OpenAI, Stripe, GitHub, Firebase Admin, and private keys.

Check SSL certificate validity, expiry date, and TLS configuration. Get an instant security grade.

Check SPF, DMARC, and MX records for any domain. Protect against email spoofing and phishing.

Test password strength with detailed analysis. 100% client-side - your password never leaves your browser.

Check if your email has been exposed in a data breach. Powered by Have I Been Pwned.

Check DNSSEC configuration and CAA records. Prevent DNS hijacking and unauthorized certificates.

Check if a website has a valid security.txt for responsible vulnerability disclosure.

Generate Subresource Integrity hashes for scripts and stylesheets. Protect against CDN compromises.

Generate MD5, SHA-1, SHA-256, SHA-384, and SHA-512 hashes instantly. 100% client-side.

Encode and decode Base64 strings. Useful for debugging tokens and inspecting encoded data.