Encoders, Hash & Security Tools
COOP/COEP/CORP Header Builder
Build Cross-Origin isolation headers for SharedArrayBuffer, WebAssembly threads, and cross-origin security. Choose from presets with debugging checklists.
Tools
Encode and inspect data, generate hashes, and prepare browser security policies, integrity values, tokens, and headers.
Available tools
Encoders, Hash & Security Tools
Build Cross-Origin isolation headers for SharedArrayBuffer, WebAssembly threads, and cross-origin security. Choose from presets with debugging checklists.
Encoders, Hash & Security Tools
Generate CORS HTTP headers for any origin, method, and credential configuration. Output in raw HTTP, Nginx, Apache, Express, or Cloudflare Workers format.
Encoders, Hash & Security Tools
Generate CSP hash values for inline scripts and styles. Hash exact code content with SHA-256, SHA-384, or SHA-512 and get the matching CSP directive snippet.
Encoders, Hash & Security Tools
Generate Sanitizer API and DOMPurify allowlist configurations. Choose content-type presets or customize allowed tags and attributes for safe HTML rendering.
Encoders, Hash & Security Tools
Generate and validate security.txt files per RFC 9116. Specify your contact, expiration, and optional fields, then get hosting guidance for GitHub Pages, Netlify, and Vercel.
Encoders, Hash & Security Tools
Generate Subresource Integrity hashes for script and stylesheet files. Paste code, upload a local file, or reference a CDN URL and get the integrity attribute for your HTML tags.
Encoders, Hash & Security Tools
Generate a VAPID key pair for Web Push notifications using the browser's Web Crypto API. Output ready-to-use keys for Node web-push, Firebase, and environment variables.
Encoders, Hash & Security Tools
Generate secure iframe markup with sandbox flags and allow permissions by embed type.
Encoders, Hash & Security Tools
Generate a Permissions-Policy HTTP header to control browser feature access across your site.
Encoders, Hash & Security Tools
Generate a Content-Security-Policy header for static sites with CDN, analytics, font, and embed options.
Encoders, Hash & Security Tools
Generate a Referrer-Policy header or meta tag to control how much referrer information is sent with outbound links.
Encoders, Hash & Security Tools
Generate a Trusted Types policy with configurable createHTML/createScript/createScriptURL operations and matching Content-Security-Policy headers for Nginx and Apache.
Encoders, Hash & Security Tools
Encode and decode Uint8Array data using native toBase64(), toHex(), fromBase64(), and fromHex() methods. No more manual btoa or charCodeAt loops.
Encoders, Hash & Security Tools
Decode JWT tokens to inspect header, payload claims, and timestamps. All decoding happens locally — no token is sent to any server.
Encoders, Hash & Security Tools
Encode text to Base64 or decode Base64 back to text. Supports URL-safe Base64 variant. All processing is local.
Encoders, Hash & Security Tools
Encode or decode URL-encoded strings. Supports both encodeURIComponent (full) and encodeURI (URL-safe) modes.
Encoders, Hash & Security Tools
Generate UUID v4 (random) or v7 (time-ordered) identifiers with configurable options
Encoders, Hash & Security Tools
Generate cryptographic hashes and HMAC JavaScript code using Web Crypto API
Encoding and security syntax must be exact. A missing directive, incorrect hash, or misunderstood token can break a page or create false confidence. These tools generate inspectable output for common browser security and data-encoding tasks, while keeping clear boundaries between encoding, hashing, inspection, and verification.
Start by identifying whether the task is encoding, hashing, signing, or policy configuration. These operations are not interchangeable. Review generated policies against the resources your site actually loads, test headers in a staging environment, and never treat decoded content as trusted until the relevant signature or source has been verified.
FAQ
No. Base64 is a reversible representation of bytes. Anyone with the encoded value can decode it, so it must not be used to protect secrets.
No. Decoding reveals the header and payload but does not prove that the signature is valid. Verify JWT signatures in a trusted server-side environment before using claims for authorization.
Treat them as a reviewed starting point. The correct policy depends on your actual origins, scripts, frames, APIs, browser targets, and server configuration.