Security & Hashing Tools

15 cryptography and security utilities: hashing, encryption, JWT analysis, key generation, security header scanning, and more.

#️⃣

Hash Generator

Compute MD5, SHA-1, SHA-256, SHA-384, and SHA-512 hashes for text or files. All hashes shown simultaneously with one-click copy.

🔐

HMAC Generator

Generate HMAC-SHA-256, HMAC-SHA-384, and HMAC-SHA-512 message authentication codes with a secret key.

💪

Password Strength

Analyze password entropy, character composition, and estimated crack time across different attack scenarios.

🔒

AES Encrypt / Decrypt

Encrypt and decrypt text with AES-256-GCM. Password-derived key via PBKDF2. Output includes salt and IV: fully self-contained.

🪪

JWT Debugger

Decode and inspect JWT header, payload, and signature. Shows expiry status, algorithm, and all time-based claims with human-readable dates.

🎲

Secure Token Generator

Generate cryptographically random tokens in hex, Base64, Base64URL, alphanumeric, or UUID v4 format.

🛡️

CSP Builder

Visual builder for Content-Security-Policy headers. Configure directives, sources, and copy the resulting header or meta tag.

Checksum Verifier

Upload a file and compare its MD5/SHA-1/SHA-256/SHA-512 hash against an expected value to verify integrity.

🔭

Website Scanner

Scan any public URL for HTTP security headers, HTTPS enforcement, and server information leakage. Graded A–F with per-header recommendations.

📋

Security Headers

Reference and generator for HTTP security headers: HSTS, X-Frame-Options, CSP, Referrer-Policy, Permissions-Policy, and more.

🗝️

RSA Key Generator

Generate RSA-2048/3072/4096 key pairs in PEM format using the browser's Web Crypto API. Keys never leave your device.

🔑

Bcrypt Hasher

Hash passwords with bcrypt at configurable cost factors (4–12 rounds) and verify plaintext passwords against stored hashes. One-way, irreversible.

🔢

CRC32 Checksum

Compute CRC32 checksums for text or files. Displays result in hex, decimal, and binary. Includes verify mode to compare against an expected value.

🔏

DES / 3DES Cipher

Encrypt and decrypt data with legacy DES (8-byte key) or Triple-DES (24-byte key) using ECB mode with PKCS7 padding. Includes a security warning.

🧮

XOR Cipher

XOR text, hex, or bytes against a repeating key. Visual byte-by-byte breakdown. Output as hex, Base64, or binary. Educational purposes only.

How these security tools work

All cryptographic operations on this page run inside your browser using the Web Crypto API, a standardised interface built into every modern browser. When you hash a string with SHA-256 or encrypt data with AES, the computation happens on your device using the browser's native cryptographic primitives — not a third-party library, and not a remote server. This means sensitive data you paste into these tools never leaves your machine.

The password generator produces cryptographically random output by drawing from the browser's crypto.getRandomValues() function, which is seeded by the operating system's entropy source. This is meaningfully different from Math.random(), which is deterministic and unsuitable for security purposes. The strength checker analyses entropy based on character set size and password length, and flags common patterns like dictionary words and keyboard walks.

Bcrypt hashing uses a cost factor (work factor) that controls how long the operation takes. A higher cost factor means brute-forcing the hash takes proportionally longer — the default of 10 is widely recommended for most applications in 2025. The CSP builder helps you construct a Content Security Policy header by choosing your allowed sources per directive, then shows you the final header string to copy into your web server configuration.

Frequently Asked Questions

Do these security tools store anything I enter?
Nothing. All inputs are processed locally in your browser and discarded when you leave the page. No logs, no databases, no analytics on your data.
Are the hashes and encrypted outputs cryptographically reliable?
Yes. The tools use standard algorithms: SHA-256, bcrypt, AES: via the Web Crypto API and established libraries. The outputs are interoperable with any standard implementation.
Is it safe to use the JWT debugger with a real token?
Since it runs locally, your token doesn't leave your browser. That said, treat production secrets carefully regardless: don't paste sensitive tokens into tools you haven't vetted.
What's the bcrypt tool useful for?
Hashing passwords during development, verifying that a plaintext value matches a stored hash, and testing different bcrypt round configurations for your app.
Is the password generator cryptographically secure?
Yes. It uses window.crypto.getRandomValues(), the same CSPRNG your browser uses for TLS. The passwords it generates are random in the strong, cryptographic sense.