Tools

Free Encoders, Hash & Security Tools

Encode and inspect data, generate hashes, and prepare browser security policies, integrity values, tokens, and headers.

Available tools

Encoders, Hash & Security Tools you can use now

Encoders, Hash & Security Tools

COOP/COEP/CORP Header Builder

Build Cross-Origin isolation headers for SharedArrayBuffer, WebAssembly threads, and cross-origin security. Choose from presets with debugging checklists.

Open tool

Encoders, Hash & Security Tools

CORS Header Generator

Generate CORS HTTP headers for any origin, method, and credential configuration. Output in raw HTTP, Nginx, Apache, Express, or Cloudflare Workers format.

Open tool

Encoders, Hash & Security Tools

CSP Hash Generator

Generate CSP hash values for inline scripts and styles. Hash exact code content with SHA-256, SHA-384, or SHA-512 and get the matching CSP directive snippet.

Open tool

Encoders, Hash & Security Tools

HTML Sanitizer Config Builder

Generate Sanitizer API and DOMPurify allowlist configurations. Choose content-type presets or customize allowed tags and attributes for safe HTML rendering.

Open tool

Encoders, Hash & Security Tools

security.txt Generator & Validator

Generate and validate security.txt files per RFC 9116. Specify your contact, expiration, and optional fields, then get hosting guidance for GitHub Pages, Netlify, and Vercel.

Open tool

Encoders, Hash & Security Tools

SRI Hash Generator

Generate Subresource Integrity hashes for script and stylesheet files. Paste code, upload a local file, or reference a CDN URL and get the integrity attribute for your HTML tags.

Open tool

Encoders, Hash & Security Tools

VAPID Key Generator

Generate a VAPID key pair for Web Push notifications using the browser's Web Crypto API. Output ready-to-use keys for Node web-push, Firebase, and environment variables.

Open tool

Encoders, Hash & Security Tools

Trusted Types Policy Generator

Generate a Trusted Types policy with configurable createHTML/createScript/createScriptURL operations and matching Content-Security-Policy headers for Nginx and Apache.

Open tool

Encoders, Hash & Security Tools

Uint8Array Base64/Hex Converter

Encode and decode Uint8Array data using native toBase64(), toHex(), fromBase64(), and fromHex() methods. No more manual btoa or charCodeAt loops.

Open tool

Encoders, Hash & Security Tools

JWT Decoder and Claims Inspector

Decode JWT tokens to inspect header, payload claims, and timestamps. All decoding happens locally — no token is sent to any server.

Open tool

Encoders, Hash & Security Tools

Base64 Encoder and Decoder

Encode text to Base64 or decode Base64 back to text. Supports URL-safe Base64 variant. All processing is local.

Open tool

Encoders, Hash & Security Tools

URL Encoder and Decoder

Encode or decode URL-encoded strings. Supports both encodeURIComponent (full) and encodeURI (URL-safe) modes.

Open tool

Encoders, Hash & Security Tools

UUID Generator

Generate UUID v4 (random) or v7 (time-ordered) identifiers with configurable options

Open tool

What this collection helps with

Encoding and security syntax must be exact. A missing directive, incorrect hash, or misunderstood token can break a page or create false confidence. These tools generate inspectable output for common browser security and data-encoding tasks, while keeping clear boundaries between encoding, hashing, inspection, and verification.

Best for

  • Preparing CSP, Permissions Policy, CORS, and cross-origin headers.
  • Encoding URL or Base64 data and inspecting JWT claims.
  • Generating hashes, integrity values, UUIDs, and security-related files.

Common use cases

  • Generate a CSP starter policy or hash for an inline resource.
  • Encode a URL component or convert Base64 and hexadecimal data.
  • Inspect a JWT payload without treating decoding as signature verification.

Task guide

Start by identifying whether the task is encoding, hashing, signing, or policy configuration. These operations are not interchangeable. Review generated policies against the resources your site actually loads, test headers in a staging environment, and never treat decoded content as trusted until the relevant signature or source has been verified.

Publishing checklist

  • Distinguish reversible encoding from one-way hashing and cryptographic signing.
  • Test security headers in report-only or staging mode before enforcing them.
  • Verify hashes against the exact bytes served in production.
  • Do not paste production secrets, private keys, or sensitive tokens into browser tools.
  • Confirm browser and server support for every generated directive.

FAQ

Questions about encoders, hash & security tools

Is Base64 encryption?

No. Base64 is a reversible representation of bytes. Anyone with the encoded value can decode it, so it must not be used to protect secrets.

Does decoding a JWT verify it?

No. Decoding reveals the header and payload but does not prove that the signature is valid. Verify JWT signatures in a trusted server-side environment before using claims for authorization.

Can generated security headers be deployed unchanged?

Treat them as a reviewed starting point. The correct policy depends on your actual origins, scripts, frames, APIs, browser targets, and server configuration.