Dev Tools for Security Engineers
Security engineers need tools for both offensive and defensive work: generating and verifying cryptographic hashes, testing hash functions and HMAC, generating RSA/ECDSA key pairs, decoding SSL certificates, analyzing JWTs, checking password strength, and testing SQL injection patterns. This collection provides the cryptographic and security-focused tools that security professionals reach for during code review, penetration testing, security audits, and incident response — all browser-based and running locally.
Generate SHA-1, SHA-256, SHA-384, and SHA-512 cryptographic hashes from any text.
Generate an MD5 hash from any text. Pure JavaScript implementation, runs client-side.
Generate HMAC-SHA-256/384/512 message authentication codes using a secret key.
Derive a key from a password using PBKDF2 (SHA-256). Configure salt and iterations.
Encrypt and decrypt text with AES-GCM using a password. Runs entirely in your browser.
Generate RSA key pairs (2048 or 4096-bit) and export as PEM in your browser.
Generate an RSA SSH key pair. Shows the OpenSSH public key and the PEM private key.
Paste a PEM private or public key to detect its type, algorithm, and key size.
Paste a PEM certificate and decode its subject, issuer, validity dates, SANs, and more.
Find out how many days until an SSL certificate expires. Paste a PEM or enter a date.
Fill in your details and get a ready-to-run openssl command to generate a CSR and key.
Paste a PEM CSR and decode its subject, public key algorithm, and signature algorithm.
Calculate SHA-1 and SHA-256 fingerprints of a PEM certificate in colon-separated hex.
Decode and inspect JSON Web Token header and payload.
Decode a JWT and annotate every claim with a human-readable explanation and validity status.
Parse OAuth callback URLs and decode JWT access tokens in one place.
Generate time-based one-time passwords (RFC 6238) from a Base32 secret key.
Generate strong, random passwords with customizable options.
Analyze password strength by checking length, character variety, and entropy.
Detect common SQL injection patterns in a query and understand why they are dangerous.
Upload a file and calculate its MD5, SHA-1, SHA-256, and SHA-512 checksums.
Upload a .der file and convert it to PEM format with the appropriate header and footer.
Convert a PEM certificate or key to binary DER format and download the .der file.
FAQ
- How do I verify a file checksum from a download?
- Use the Checksum Calculator to compute the SHA-256, SHA-512, or MD5 hash of a file locally in your browser and compare it to the hash published by the software distributor. The calculation happens entirely in your browser using the Web Crypto API — the file is never uploaded.
- How do I inspect a suspicious JWT without sending it to a server?
- The JWT Decoder and Explain JWT tools decode any JWT locally in your browser without any network request. You can inspect the header algorithm, payload claims, expiry, and identify potential issues like missing expiry, none algorithm, or overly broad claims without exposing the token.
- How do I generate a CSR for a new TLS certificate?
- Use the CSR Generator to create a Certificate Signing Request with your domain name, organization, and key size. It generates the CSR and private key locally in your browser. Submit the CSR to your CA (or Let's Encrypt ACME client) to obtain the signed certificate. The private key never leaves your browser.