Small, focused web-security tools.
A growing collection of single-purpose utilities for AppSec basics. Each tool is designed to do one thing well, explain its findings clearly, and be safe to run from a browser.
Misconfig Mapper
OWASP A05 in one click.
Enter a URL and get a report card: missing security headers, exposed .git/.env, information disclosure, and cookie hygiene.
JWT Inspector
Decode, audit, and crack weak HS256 secrets.
Paste a JWT and see decoded header/payload, security findings (alg:none, kid injection, expired tokens, sensitive claims), and a built-in HS256 wordlist crack — all in your browser.
CORS Tester
Probe an endpoint's Origin policy.
Sends a battery of Origin probes — reflection, null, suffix/prefix bypass, subdomain, scheme downgrade, and a preflight — and classifies the response. Flags the dangerous reflection-with-credentials pattern.
TLS / Cert Viewer
Inspect the live certificate chain.
Opens a TLS handshake to a host, walks the certificate chain, and grades expiry, hostname match, signature algorithm, key strength, protocol version, and cipher.