A growing set of focused security tools for engineers and researchers, spanning web application security, AI and LLM security, digital forensics, and cryptography. Each one does a single job well, explains what it finds in plain language, and runs entirely in your browser.
Paste your HTTP response headers and get a graded report on HSTS, Content Security Policy, X-Frame-Options, cookies, and more.
Build a strict nonce based policy from what your site actually loads, then copy it straight into your server or meta tag.
Paste a Content Security Policy and surface its weaknesses, including the known allowlist bypass gadgets that quietly let script run.
Choose which browser features a page may use and generate a locked down Permissions Policy header with ready server snippets.
Grade your Set-Cookie headers on Secure, HttpOnly, SameSite, the host and secure prefixes, and how widely the domain is scoped.
Spot the dangerous combinations in your CORS headers, like reflecting the request Origin while also allowing credentials.
Decode a JSON Web Token and grade its security: the alg none trap, key confusion, expiry, and secrets left in the payload.
Expand every encoding of an address and classify it against private, loopback, and cloud metadata ranges that filters miss.
See how different parsers read the same URL and spot the host disagreements that defeat allowlists and enable open redirect and SSRF.
Check whether a file served as one type can be sniffed to HTML and run script, the root of many file upload bugs.
Analyze a regular expression for catastrophic backtracking and see a sample input that would make it hang.
Produce the integrity attribute that pins a third party script or stylesheet to one exact file, hashed locally with Web Crypto.
Build a valid RFC 9116 security.txt or check an existing one, including whether it has already expired.
Match a CNAME target and the error page it serves against a database of known claimable service fingerprints.
Lint a prompt template for the spots where untrusted input becomes instructions, mapped to the OWASP Top 10 for LLM applications.
Statically audit a Model Context Protocol server manifest for tool poisoning, over broad scopes, and command injection.
Walk the OWASP Top 10 for LLM applications and produce a scored, exportable readiness report for your AI system.
Pull indicators of compromise out of a report and defang them for safe sharing, or refang them back.
Peel base64, gzip, hex, and PowerShell EncodedCommand layers to reveal what a blob actually contains, without running it.
Drop a file to see its entropy graph, its real type from magic bytes, a hexdump, and any appended or embedded payloads.
Convert Windows FILETIME, Chrome WebKit, Cocoa, and Unix timestamps, and auto detect which format a raw value is.
Decode a PEM certificate to read its subject, alternative names, validity, and key, and flag weak signatures and expiry.
Auto identify and decode Caesar, Vigenere, XOR, and the common base encodings, ranked by how much the result reads as English.
See the GPS location and camera data hidden in a photo, then download a clean copy with the metadata stripped out.
Scan code or config for leaked API keys, tokens, and private keys before they reach a commit, all in the browser.
Estimate entropy and surface the patterns that make a password fall fast under real guessing. The password never leaves the page.
Security tools often ask you to paste sensitive material: production response headers, a live session token, a cookie, a password, a malware sample, a photo with your location in it. Sending any of that to a server you do not control is its own risk. Every tool here is fully client side, which means the data you drop in is analyzed by JavaScript on this page and is never uploaded, logged, or stored. You can use them on internal systems and real evidence without the input ever leaving your machine.
They are built by UnboundCompute, where we work on autonomous security research for web apps and APIs. If you want to understand the ideas behind the tools, the security blog goes deep on the underlying attacks and defenses.