UD5 Toolkit
Content Security Policy Evaluator - Online Hash & Nonce Check
Test if a script or style will be allowed by a given CSP. Compute hash/nonce. Strengthen your site’s defense against XSS. Local.
Permissions‑Policy Header Parser - Online Decode & Check
Permissions-Policy Header Parser
Paste a Permissions-Policy (formerly Feature-Policy) HTTP header to decode and inspect permissions for your site.
Header Value
Separate directives with commas. Origins are space-separated inside parentheses, e.g.,
(self "https://example.com").
Parsed Directives
Enter a header value and click Parse to see decoded directives.
Common Permissions-Policy Directives
| Directive | Description | Example | Default |
|---|---|---|---|
camera |
Controls access to video input devices | camera=(self) |
All origins allowed |
microphone |
Controls access to audio input devices | microphone=() |
All origins allowed |
geolocation |
Controls access to Geolocation API | geolocation=(self "https://maps.example.com") |
All origins allowed |
fullscreen |
Controls ability to use Fullscreen API | fullscreen=* |
All origins allowed |
interest-cohort |
Controls FLoC tracking (Privacy Sandbox) | interest-cohort=() |
Allowed (opt out recommended) |
accelerometer, gyroscope, magnetometer |
Controls sensor APIs | accelerometer=() |
All origins allowed |
Frequently Asked Questions
The
Permissions-Policy header (formerly Feature-Policy) allows a website to control which browser features and APIs can be used by the current page and embedded iframes. It helps improve security and privacy by restricting sensitive capabilities like camera, microphone, geolocation, etc.
Feature-Policy was the original header, but it has been replaced by Permissions-Policy. The new header uses a simpler syntax (directive=() instead of directive 'none') and is now the standard. Browsers will gradually drop support for Feature-Policy.
An empty allowlist
() means the feature is completely blocked for the current origin and all embedded contexts. For example, camera=() disables camera access entirely.
Yes,
* means the feature is allowed for all origins (both same-origin and cross-origin iframes). However, use it cautiously because it may weaken your site's security posture.
Simply copy the raw value of the
Permissions-Policy HTTP response header (from browser DevTools → Network tab) and paste it into the input field above. Click Parse Header to see a clear breakdown of what each directive allows or blocks.
Password Policy Checker - Online Test Against Rules
Define minimum length, uppercase, digits, special chars, and check if a password meets your custom policy. Instant feedback.
Security Headers Auditor - Online Check HSTS, CSP & More
Enter a website and check which security headers (HSTS, CSP, X‑Frame‑Options) are present. Get a security grade.
Network Information API Checker - Online Downlink Speed
Display your effective connection type (4g, 3g, etc.) and downlink speed using the Navigator API. Adapt your app accordingly.
DNSSEC Chain Validator - Online Check RRSIG & DS
Validate a DNSSEC chain by entering DS and RRSIG records. Verify that signatures match. Educational. Local algorithm.
SSL Certificate Checker - Online Verify Expiry & Chain
Enter a domain and see its SSL certificate details: issuer, validity dates, and chain. Client‑side fetch.
Code of Conduct Generator - Online Community Covenant
Generate a Contributor Covenant or custom Code of Conduct for your project or event. Ready to paste into your repo.
Local Password Breach Checker - Online k‑Anonymity
Tell if your password has appeared in data breaches without sending the full password. Uses hash prefix locally.
Default Wi‑Fi Password Calculator - Online ISP Router Keygen
Enter a router's MAC address or serial and generate the common default WPA passphrase for major ISP brands. Educational purpose only.
Hashid Encoder/Decoder - Online Short Unique IDs from Numbers
Convert integers into short, unique, YouTube‑style IDs (hashids) and decode them back. Customize salt and minimum length.
Cocktail Recommender - Online What to Mix Based on Liquor
Tell the tool what base liquor and mixers you have, and it suggests classic cocktails. Simple database. Cheers!
SQL CREATE TABLE to CSV Header - Online Column Lister
Paste a SQL CREATE TABLE statement and extract just the column names as a CSV header row. For data migration.
Regex Injection / ReDoS Tester - Online Safe Pattern Test
Test a regular expression against malicious inputs to detect catastrophic backtracking and ReDoS vulnerabilities. Educational.
Frontend JS Library Vulnerability Scanner - Online Check Version
Paste a URL or HTML to detect known vulnerable JavaScript library versions. Quick security audit. Client‑side only.
WAV Header Viewer - Online Inspect Audio Format
Drop a WAV file and see its full header: sample rate, bit depth, channels, and chunk structure. Raw bytes explained.
PDF Script Inspector - Online See Embedded JavaScript
Drop a PDF and extract any embedded JavaScript or form actions. Check for malicious code. Privacy‑friendly analysis.
SQL Injection Simulator - Online Educational Sandbox
Test SQL injection inputs on a mock database and see the resulting query. Learn how to prevent SQLi. No real data.
ETag & Last‑Modified Validator - Online Check Cache Headers
Send conditional requests to a URL and verify that the server correctly handles ETag and If‑None‑Match. Audit caching.
position: sticky Playground - Online Sticky Headers & Footers
Scroll a container and see how sticky elements behave. Adjust top, bottom, and scroll margins. Copy the code.
Advanced Set‑Cookie String Parser - Online Decode Flags
Paste a `Set‑Cookie` header and see all attributes parsed: domain, path, Max‑Age, SameSite, Secure, HttpOnly. Debug cookies easily.
X‑Frame‑Options Tester - Online Clickjacking Defense
Check if a URL can be embedded in an iframe. Test your site’s defense against clickjacking. Browser‑based.
HSTS Header Checker - Online Strict‑Transport‑Security
Fetch a site’s HSTS header and validate its syntax, max‑age, and subdomain flags. Ensure your site enforce HTTPS.
CSP Analyzer - Online Test & Improve Policy
Paste a Content‑Security‑Policy header and get a human‑readable breakdown. See potential risks and suggestions.
Permissions‑Policy Header Generator - Online Security Config
Configure browser feature permissions (camera, microphone, geolocation) and generate the Permissions‑Policy HTTP header.
iCalendar File Viewer - Online ICS Parser
Drop or paste an .ics file and see all events in a readable table. Check dates, times, and locations. Privacy‑friendly.
Snowflake ID Parser - Online Decode Discord/Twitter IDs
Parse a Snowflake ID (used by Discord, Twitter) into its timestamp, worker, and sequence components. Instant local decoding.
Text to ISO Date Converter - Online Parse Any Date String
Paste a human‑readable date (like 'next Friday' or 'March 5, 2023') and convert it to ISO 8601 format. Quick and tolerant.
Iframe Sandbox Configurator - Online Test Permissions
Build an iframe with different sandbox flags and see live which features are blocked. For secure embedding.
String to Escaped HTML - Online Protect Against XSS
Instantly convert plain text into HTML‑safe escaped characters for secure display in web pages. Prevent cross‑site scripting. All processing local.
Web Server Log Parser - Online Apache/Nginx Analyzer
Paste a raw server log snippet and see a structured table with IP, method, URL, and status. Quick audit.