Content Security Policy Evaluator - Online Hash & Nonce Check

CSP Hash Generator

Inline Script Content Hash Algorithm

CSP Hash Value

—

Paste into script-src with 'strict-dynamic'

Nonce Generator

Generate a cryptographically random nonce for CSP.

Base64 Nonce (128-bit)

—

Use: script-src 'nonce-...'

CSP Evaluator

Content-Security-Policy Header Value

Security Score --

Enter a CSP header to see analysis.

Frequently Asked Questions

A CSP hash allows you to whitelist specific inline scripts by their cryptographic hash. Instead of enabling 'unsafe-inline', you compute the SHA-256, SHA-384, or SHA-512 hash of the script's content and add it to your script-src directive. Browsers will then only execute inline scripts whose hash matches one in the policy, effectively blocking XSS.

Nonces are ideal for dynamic scripts where the content changes on every page load (e.g., scripts with session-specific data). The server generates a unique nonce for each response and includes it both in the CSP header and as a nonce attribute on the script tag. Hashes, on the other hand, work best for static inline scripts that rarely change.

A secure CSP should avoid 'unsafe-inline' and 'unsafe-eval', restrict sources to exact origins, define object-src 'none', and consider using 'strict-dynamic' with nonces/hashes. Always include a report-uri or report-to directive to monitor violations. Our evaluator helps identify such misconfigurations.

Add it to the script-src directive like this: script-src 'sha256-xyz...';. If you use 'strict-dynamic', the hash allows the inline script and also enables loading of other scripts dynamically added by that script. Remember to base64-encode the hash (as we output) and include the prefix.

Yes. Paste your complete Content-Security-Policy header value into the evaluator, and click “Evaluate Security”. You'll get a breakdown of each directive and a security score. It highlights dangerous keywords like 'unsafe-inline' and missing directives.

New

Security Headers Auditor - Online Check HSTS, CSP & More

Enter a website and check which security headers (HSTS, CSP, X‑Frame‑Options) are present. Get a security grade.

Network audit CSP HSTS security headers

New

Permissions‑Policy Header Parser - Online Decode & Check

Paste the Permissions‑Policy header and get a human‑readable table of allowed/blocked browser features. Understand how your site is restricted.

Parser header parser Permissions‑Policy security

New

Password Policy Checker - Online Test Against Rules

Define minimum length, uppercase, digits, special chars, and check if a password meets your custom policy. Instant feedback.

Security checker compliance password policy rules

New

SSL Certificate Checker - Online Verify Expiry & Chain

Enter a domain and see its SSL certificate details: issuer, validity dates, and chain. Client‑side fetch.

Network certificate checker expiry SSL

New

Local Password Breach Checker - Online k‑Anonymity

Tell if your password has appeared in data breaches without sending the full password. Uses hash prefix locally.

Security breach checker password safe

New

DNSSEC Chain Validator - Online Check RRSIG & DS

Validate a DNSSEC chain by entering DS and RRSIG records. Verify that signatures match. Educational. Local algorithm.

Network DNS DNSSEC security validator

New

Code of Conduct Generator - Online Community Covenant

Generate a Contributor Covenant or custom Code of Conduct for your project or event. Ready to paste into your repo.

Developer Tools Code of Conduct community generator open source

New

Network Information API Checker - Online Downlink Speed

Display your effective connection type (4g, 3g, etc.) and downlink speed using the Navigator API. Adapt your app accordingly.

Info API connection Network Information speed

New

Hashid Encoder/Decoder - Online Short Unique IDs from Numbers

Convert integers into short, unique, YouTube‑style IDs (hashids) and decode them back. Customize salt and minimum length.

Developer Tools decode encode hashid short id

New

Default Wi‑Fi Password Calculator - Online ISP Router Keygen

Enter a router's MAC address or serial and generate the common default WPA passphrase for major ISP brands. Educational purpose only.

Network generator password router Wi‑Fi

New

Cocktail Recommender - Online What to Mix Based on Liquor

Tell the tool what base liquor and mixers you have, and it suggests classic cocktails. Simple database. Cheers!

Food cocktail drink mixer recommender

New

HTTP Security Header Checker - Online HSTS, CSP, X-Frame Analysis

Paste response headers string and get a security audit. Check presence and configuration of key security headers. Local analysis.

Checker checker headers HTTP security

New

Password Entropy Calculator - Online Bits of Security Meter

Calculate the entropy (in bits) of a password based on character pool size and length. Visual strength meter with crack time estimation. Local only.

Calculator bits entropy password security

New

Regex Injection / ReDoS Tester - Online Safe Pattern Test

Test a regular expression against malicious inputs to detect catastrophic backtracking and ReDoS vulnerabilities. Educational.

Developer Tools injection ReDoS regex security

New

Frontend JS Library Vulnerability Scanner - Online Check Version

Paste a URL or HTML to detect known vulnerable JavaScript library versions. Quick security audit. Client‑side only.

Developer Tools JavaScript scanner security vulnerability

New

PDF Script Inspector - Online See Embedded JavaScript

Drop a PDF and extract any embedded JavaScript or form actions. Check for malicious code. Privacy‑friendly analysis.

Document Tool inspector JavaScript PDF security

New

SQL Injection Simulator - Online Educational Sandbox

Test SQL injection inputs on a mock database and see the resulting query. Learn how to prevent SQLi. No real data.

Educational learn security simulator SQL injection

New

XSS Payload Sandbox - Online Test Escape Characters

Paste a potential XSS vector and see if it executes in a sandboxed iframe. For security researchers and education.

Educational payload sandbox security XSS

New

Reporting API Demo - Online See CSP & Deprecation Reports

Send a test CSP violation report and see the ReportingObserver in action. Understand how monitoring works.

Developer Tools CSP demo monitor Reporting API

New

HTML Sanitizer API Demo - Online Safe Set HTML

Use the new Sanitizer API to safely insert raw HTML into the DOM. Blocks malicious tags. Experimental demo.

Developer Tools HTML safe Sanitizer API XSS

New

Trusted Types API Demo - Online Prevent XSS

See how Trusted Types prevents unsafe HTML assignment. Test against injected scripts. Modern security practice.

Developer Tools demo security Trusted Types XSS

New

WebAuthn Demo - Online Register & Authenticate

Create a passkey and authenticate using the Web Authentication API. Supports platform authenticators (TouchID, FaceID). No server.

API biometric passkey security WebAuthn

New

X‑Frame‑Options Tester - Online Clickjacking Defense

Check if a URL can be embedded in an iframe. Test your site’s defense against clickjacking. Browser‑based.

Security clickjacking security test X‑Frame‑Options

New

HSTS Header Checker - Online Strict‑Transport‑Security

Fetch a site’s HSTS header and validate its syntax, max‑age, and subdomain flags. Ensure your site enforce HTTPS.

Network checker header HSTS security

New

CSP Analyzer - Online Test & Improve Policy

Paste a Content‑Security‑Policy header and get a human‑readable breakdown. See potential risks and suggestions.

Analyzer analyzer CSP header security

New

Permissions‑Policy Header Generator - Online Security Config

Configure browser feature permissions (camera, microphone, geolocation) and generate the Permissions‑Policy HTTP header.

Generator generator header Permissions‑Policy security

New

Text to HTML Safe Converter - Online Escape for Web

Convert plain text into HTML‑safe strings by escaping <, >, &, and quotes. Insert into code safely. Local copy.

Developer Tools HTML escape safe text XSS

New

Iframe Sandbox Configurator - Online Test Permissions

Build an iframe with different sandbox flags and see live which features are blocked. For secure embedding.

Developer Tools iframe sandbox security test

New

String to Escaped HTML - Online Protect Against XSS

Instantly convert plain text into HTML‑safe escaped characters for secure display in web pages. Prevent cross‑site scripting. All processing local.

Developer Tools encode HTML escape security XSS

New

HTML Sanitizer - Online Clean Dangerous Tags & XSS Prevention

Strip dangerous HTML tags and attributes (scripts, onclick) to prevent XSS attacks. Safe iframe preview. Local sanitation engine.

Developer Tools clean HTML sanitizer security XSS