Security tools
ClientThis page is an indexâopen a card for the dedicated route. Cryptography, signing, token inspection, checksums, compression, secrets generation, certificates, and validators stay client-side unless a tool page says otherwise.
How this hub is organized
Each card opens a dedicated routeâencryption and digests, JWT inspection, PKCE, TOTP, checksums, passwords, and validators. Check the execution badge on a card before you paste production secrets.
Browse security utilities
Cards follow the home catalog order for this category.
Encrypt & decrypt
ClientEncrypt, decrypt, hash (AES, DES, RC4, Rabbit, TripleDES, MD5, SHA) and Base64âclient-side.
HMAC (SHA-256 & more)
ClientHMAC-SHA-256/384/512/1 in the browserâhex or Base64 for webhooks, signing, and API docs.
File checksum & hash
ClientSHA-256, SHA-512, MD5, CRC-32, and more for a local fileâverify downloads without uploading.
Hash identifier
ClientGuess digest type from hex length, Base64 shape, or bcrypt/Argon2 prefixesâheuristic, local only.
CRC-32 & CRC-32C
ClientIEEE CRC-32 and Castagnoli CRC32C on UTF-8 text or raw hex bytesâZIP/PNG family vs iSCSI/protobuf; local only, complements file checksum for whole-file digests.
Subresource Integrity (SRI)
ClientSHA-256/384/512 base64 integrity tokens for script and link tagsâUTF-8 paste or local file; Web Crypto only.
CSP header builder
ClientBuild a Content-Security-Policy header from directive fieldsâcopy for nginx, Express, or CDN configs locally.
Permissions-Policy builder
ClientBuild a Permissions-Policy header to allow or deny camera, geolocation, payment, and other browser features locally.
Referrer-Policy builder
ClientPick a Referrer-Policy value and copy the HTTP headerâcontrol referrer leakage locally.
Cross-origin policy headers
ClientBuild COOP, COEP, and CORP response headers for isolation and embed rulesâin your browser.
HSTS header builder
ClientDraft Strict-Transport-Security with max-age, includeSubDomains, and optional preloadâlocal only.
Compress & minify
ClientHTML, JS, CSS, XML, SQL, JSON minify; batch JPEG/WebP image compression.
JWT decode
ClientInspect JWT header and payload as JSON in browser; signature not verified.
JWT sign & verify
ClientSign HS256/384/512 JWTs or verify HMAC signatures in the browserâpair with JWT decode for claims.
JWT verify (RSA / ECDSA)
ClientVerify RS256/384/512 or ES256/384/512 JWTs with a PEM public key in the browserâWeb Crypto only.
JWT sign (RSA / ECDSA)
ClientSign RS256/384/512 or ES256/384/512 JWTs with a PKCS#8 PEM private key in the browserâWeb Crypto only.
JWT expiry check
ClientSee exp, nbf, and iat on a JWT vs your browser clockâexpired or not-yet-valid hints; decode-only.
SSH key generator
ClientGenerate Ed25519 or RSA 2048 key pairs as PEM in the browserâoptional OpenSSH public line for Ed25519.
OAuth PKCE generator
ClientRFC 7636 code_verifier plus S256 code_challenge (SHA-256, base64url)âWeb Crypto in your tab, no upload.
TOTP / authenticator codes
ClientRFC 6238 time-based one-time passwords from a Base32 secretâHMAC-SHA1, otpauth URI and optional QR; local only.
Validate tools
ClientHub for format validatorsâWeb3 Ethereum address (EIP-55) and hex private key checks; more routes over time.
Web3 address & key check
ClientValidate 0x address length and EIP-55 checksum; check 64-digit hex private key shape and secp256k1 rangeâbrowser-only.
Basic Auth header
ClientBuild Authorization Basic and curl -u from username and passwordâUTF-8 Base64 in your browser.
BIP39 mnemonic generator
ClientGenerate English BIP-39 recovery phrases (12â24 words) with browser CSPRNGâcopy locally; not a wallet.
Password generator
ClientRandom passwords with length and character setsâgenerated in your browser.
PIN code generator
ClientGenerate 4â8 digit numeric PINs with crypto randomness in your browserâcopy locally.
Password strength
ClientHeuristic password strength meterâlength, charset mix, common weak-password warnings; local only.
Bcrypt hash & verify
Clientbcrypt password digests with adjustable cost (bcryptjs)âhash or verify $2a/$2b strings locally.
Random string generator
ClientRandom alphanumeric, hex, Base64 URL-safe, or custom tokensâentropy hint, local only.
Random integer generator
ClientUniform integers in a minâmax rangeâoptional unique draws, sort, Web Crypto; local only.
PEM / X.509 viewer
ClientDecode PEM certificates in the browserâsubject, issuer, validity; paste only what you trust.
Nearby workflows on Toolcore
- Encrypt & decrypt â for AES, hashes, and Base64 experiments on pasted text.
- JWT decode â to read claims without verifying signatures here.
- Password generator â before you hash throwaway samples on the bcrypt page.
- Validators hub â for Web3 and other format checks beside crypto tabs.
Common use cases
- Open JWT decode when you need header and payload JSON from a signed tokenâremember verification is not performed here.
- Use HMAC or crypto when reproducing webhook signatures or comparing hash outputs from docs.
- Use file checksum when verifying a download against a published SHA-256 or MD5 without uploading the file.
- Use CRC-32 when you need IEEE or Castagnoli CRC32C on pasted UTF-8 or hex bytesâdistinct from cryptographic hashes and from whole-file checksum in the file tool.
- Use IBAN validate when you need MOD-97-10 and length checks locallyâno bank directory lookup.
- Use ABA routing checker when you need the MICR checksum on a nine-digit Fed routing numberâstill verify institution-specific routines with your bank.
- Use payment card checker when you need mod 10 plus a Visa/Mastercard/Amex/Discover-style prefix hint from public BIN rangesâstill only digits-in-browser.
- Use ISBN validate when you need ISBN-10 / ISBN-13 checksums or 978âISBN-10 conversion without a publisher APIâidentifiers only.
- Use OAuth PKCE when you need a fresh code_verifier and S256 code_challenge pair for a public client flow.
- Use TOTP when you need RFC 6238 codes from a Base32 secretâcompare against your IdP or build otpauth URIs without uploading secrets.
- Use SRI when you need sha256/sha384/sha512 integrity tokens for script or link tags from the exact bytes you will serve.
- Use bcrypt when you need slow password digests or to verify a candidate password against an existing $2a/$2b hash locally.
- Jump to Validate tools for Web3 address checks and similar format guards, then return here for other security utilities.
Common mistakes to avoid
Pasting live secrets into shared machines
Processing is local on Toolcore, but screen visibility and clipboard history still matterâprefer redacted samples.
Assuming JWT decode implies trust
Decoding only shows claims; signature and audience checks belong in your application code.
FAQ
Where are format validators?
The validators hub is at /tools/validate (Web3 and more). It is listed below with the other security tools.
Is data sent to a server?
These tools run in your browser unless a specific page documents otherwise.