Security & Privacy Tools

Generate strong, random passwords with customizable length, characters, and complexity.

Check how strong your password is. Get an estimated crack time and improvement suggestions.

Generate HMAC signatures using SHA-256, SHA-384, or SHA-512 with the Web Crypto API.

Encrypt and decrypt text using AES-GCM with PBKDF2 key derivation. Runs entirely in your browser.

Generate Content-Security-Policy headers with a visual editor. Pick directives, use presets, and copy the result.

Generate Subresource Integrity (SRI) hashes for scripts and stylesheets. SHA-256, SHA-384, and SHA-512.

Parse raw email headers to see delivery path, SPF/DKIM/DMARC results, and hop-by-hop timestamps.

Check SPF, DKIM, DMARC, and MX records for any domain. Diagnose email deliverability issues and improve inbox rates.

Check any WordPress site for common security issues: exposed files, outdated version signals, login page exposure, XML-RPC, and user enumeration.

Audit all 8 modern HTTP security headers — HSTS, CSP, Permissions-Policy, Referrer-Policy, X-Frame-Options, and more. Grade A-F with privacy data-flow implications.

Deep Content Security Policy analysis — decodes all directives, detects unsafe-inline/unsafe-eval, identifies tracker origins whitelisted in script-src, and grades CSP strength A-F with a privacy angle.

Checks HTTPS configuration, HSTS header and preload status, mixed-content risks, HTTP→HTTPS redirect chain, and certificate transparency. Fast alternative to SSL Labs for quick site audits.

Checks if a password has been exposed in known data breaches using the k-anonymity HaveIBeenPwned API. Your password is hashed in-browser and never sent to any server.

Scans HTTPS pages for HTTP sub-resources (blocking: scripts/stylesheets/iframes; passive: images/media). Detects CSP upgrade-insecure-requests. Grade A-F.

Detects HTTP headers that leak server/technology versions: Server, X-Powered-By, X-AspNet-Version, X-Generator, X-Runtime, X-Varnish. Severity-rated findings. Grade A-F.

Tests which HTTP methods are enabled on a URL (GET, HEAD, POST, PUT, DELETE, PATCH, TRACE). Flags dangerous methods like TRACE (XST) and unnecessary PUT/DELETE. Grade A-F.

Checks Certification Authority Authorization (CAA) DNS records: which CAs can issue certificates, wildcard policy, iodef violation reporting. Flags missing CAA as high risk — any CA can issue certs without authorization.

Checks 25+ sensitive file paths: .env, .git/config, wp-config.php, phpinfo.php, .htpasswd, adminer.php, backup.sql, .ssh/id_rsa, composer.json, and more. Severity critical/high/medium/low. Grade A-F.

Analyzes DMARC policy: p=reject/quarantine/none, rua/ruf reporting addresses, pct enforcement %, adkim/aspf alignment, subdomain policy (sp=). Checks for monitoring-only vs full-enforcement policy. Grade A-F.

Checks DKIM selectors for your domain by testing 20 common selectors (google, selector1, mail, k1, sendgrid, etc.). Shows key type, estimated key length, hash algorithms. Flags 1024-bit weak keys and revoked keys.

Queries Certificate Transparency logs (crt.sh) to show your TLS certificate expiry date, days remaining, issuer, Subject Alternative Names (SANs), and wildcard status. Checks for multiple active certs.

Deep SPF record analysis: parses all mechanisms (include, ip4, ip6, a, mx, ptr), follows the include chain, counts DNS lookups against the RFC 7208 10-lookup limit, checks -all hardfail vs ~all softfail. Grade A-F.

Check if a URL or domain is known malware or phishing infrastructure using the URLhaus abuse.ch database. Provides threat classification, malware type, tags, and reporter information for flagged URLs.

Check your domain's BIMI (Brand Indicators for Message Identification) DNS record. Verifies the BIMI TXT record format, SVG logo URL reachability, VMC (Verified Mark Certificate), and DMARC policy prerequisite (p=quarantine or reject).

Find all subdomains of a domain using Certificate Transparency logs (crt.sh). Discovers subdomains across all historical SSL/TLS certificates. Great for attack surface mapping and security audits.

Check if a domain has DNSSEC enabled and properly validated. Verifies the AD (Authenticated Data) flag, DNSKEY and DS records, and algorithm used. Detects broken or missing DNSSEC chains.

Check your domain's MX (Mail Exchange) records: priority ordering, mail server hostnames, A/AAAA resolution, and PTR (reverse DNS) records. Diagnoses common email delivery configuration issues.

Check if an IP address or domain is listed on 15+ spam and malware blacklists including Spamhaus ZEN, SpamCop, Barracuda, SORBS, ABUSEAT CBL, DroneBL, and more. Enter domain or IP.

Check TLSA (DANE) DNS records for your domain. Validates _443._tcp and _25._tcp DANE records, parses usage/selector/matching-type fields, and verifies DNSSEC is required for DANE to be secure. Get a full DANE readiness assessment.

Check if your domain is on the HSTS preload list and validate your Strict-Transport-Security header. Verifies max-age, includeSubDomains, and preload flags required for Chrome/Firefox preloading. Get eligibility status and configuration score.

Analyze cookies returned by any URL for security attributes. Checks HttpOnly, Secure, SameSite (Strict/Lax/None), Domain scope, expiry, and flags insecure configurations. Get a per-cookie security score and recommendations.

Validate your security.txt file against RFC 9116. Checks required fields (Contact, Expires), optional fields (Encryption, Policy, Canonical), expiry status, and HTTPS hosting. Get a health score and actionable recommendations.

Check if any of your subdomains have dangling CNAME records pointing to unclaimed third-party services (GitHub Pages, Heroku, Shopify, Azure, AWS S3, Fastly, etc.). Detects potential subdomain takeover vulnerabilities before attackers exploit them.

Check Cross-Origin-Opener-Policy (COOP), Cross-Origin-Embedder-Policy (COEP), and Cross-Origin-Resource-Policy (CORP) headers. These headers enable browser isolation features required for SharedArrayBuffer and high-resolution timers. Get a security score and setup guidance.

Generate time-based one-time passwords (TOTP) for two-factor authentication. Enter a secret key and get the current 6-digit code with countdown timer.

Generate Apache .htpasswd entries with bcrypt, MD5, or SHA1 hashing. Create password-protected directories for Apache and Nginx servers.

Check password strength with detailed scoring. Shows entropy, estimated crack time, and criteria breakdown. Includes a secure password generator.

Generate and decode JSON Web Tokens. Encode with HMAC-SHA256 via Web Crypto API. Decode to see header, payload, and expiration status.

Generate Content Security Policy headers visually. Configure directives with predefined sources, custom URLs, and presets.

Generate Subresource Integrity hashes for scripts and stylesheets. SHA-256, SHA-384, and SHA-512 via Web Crypto API.

Calculate IPv4 subnet details from an IP address and CIDR prefix or subnet mask. See network address, broadcast, host range, wildcard mask, and binary representations.

Encode and decode text using the Caesar cipher (ROT shift cipher). Supports custom shift values and brute-force all 25 possible decryptions at once.

Analyze password strength in real time. Check entropy, crack time estimates, character set diversity, and get actionable suggestions to make passwords stronger.

Encode and decode text using the Vigenère polyalphabetic cipher. Enter a keyword to create a key-based substitution cipher stronger than Caesar.