Security

Plan a secret rotation without pasting the credential, with staged cutover timing, validation gates, risk scoring, and change-record exports.

Generate an Apache .htaccess draft from presets and ordered rule sections, then review warnings, counts, and saved JSON before staging changes.

Calculate IPv4 ACL wildcard masks from CIDR, subnet, host, or any entries, then review ACE lines, match size, overlaps, and broad matches.

Check ACME DNS-01 readiness with TXT token matching, CNAME or NS delegation checks, resolver comparison, and cache-aware retry guidance.

Check ACME HTTP-01 retry readiness with route, redirect, body-match, IPv6, cache, CDN/WAF, and backend consistency evidence for retries.

Generate API keys in your browser with public IDs, entropy checks, check segments, storage hashes, and sensitive-batch warnings.

Check alternative DCV proofs before a certificate order retry, comparing DNS, CNAME, HTTP, HTTPS, CSR hashes, tokens, and resolver evidence.

Analyze audit log exports in your browser, ranking failure bursts, privilege changes, source shifts, and after-hours activity with evidence.

Check pasted BGP AS paths for wrong origins, blocked ASNs, regex misses, long paths, and prepend watch findings before policy changes.

Generate a BIMI DNS TXT record with logo, evidence, selector, provider steps, and readiness checks for DMARC-aligned mail rollout.

Validate BIMI for a domain and selector with DNS, DMARC, SVG logo, and PEM certificate checks, then review gate scores and fix notes.

Check a mail host or sender IP against DNSBL/RBL lists, separate real listings from resolver warnings, and export evidence for follow-up.

Check bulk sender readiness against Gmail, Yahoo, and Outlook requirements using DNS, headers, spam rate, and unsubscribe evidence.

Validate CAA policy for a hostname with CNAME and parent lookups, wildcard checks, issuer findings, DNS evidence, and exportable reports.

Check CIDR allowlists for broad ranges, sensitive ports, stale review dates, missing owners, and overlaps with scored triage evidence.

Check CORS response headers against origin, credential, cache, exposed-header, and private-network assumptions with scored risks and fixes.

Draft a Content Security Policy header with nonce, hash, or allowlist script controls, reporting headers, directive review, and rollout warnings.

Check a Content-Security-Policy header for risky script rules, missing baseline directives, reporting gaps, and rollout fixes before enforcement.

Check certificate inventory expiries from CSV rows in your browser, ranking urgent renewals, owner gaps, manual-renewal risk, and public validity findings.

Plan TLS certificate renewals from population, validity, lead time, spread, daily capacity, retry reserve, and safety buffer before expiry.

Decode a CSR in your browser, check SAN coverage and key strength, and review signature, fingerprint, and issuance-readiness notes.

Generate a CSR and RSA private key in your browser, review SANs and fingerprints, and export PEM plus OpenSSL guidance without sending keys.

Check a TLS certificate fingerprint against public CT data, compare issuer and hostname evidence, and spot revocation or reporting clues.

Generate Cisco IPv4 ACL commands from flow rows with wildcard conversion, sequence planning, safety review tables, and platform syntax checks.

Analyze container scan output in your browser, normalize vulnerability findings, test release gates, and rank fixable packages for remediation.

Check DANE TLSA records for mail or TLS services, verify owner-name routing, DNSSEC AD evidence, digest matches, and readiness issues.

Generate a DKIM DNS TXT record from selector, domain, and public key input, with key checks, split-string guidance, and publish-ready DNS fields.

Check a DKIM selector for a signing domain, review TXT publication, key strength, testing flags, and resolver evidence before troubleshooting mail authentication.

Build a DMARC TXT record for a domain with owner labels, report URIs, alignment choices, authorization notes, and rollout warnings.

Check a domain's DMARC TXT record, policy tags, alignment modes, report destinations, rollout signals, and control scores using public DNS.

Build a DNS denial proof for NXDOMAIN or NODATA with resolver evidence, NSEC/NSEC3 checks, retry timing, and validation warnings.

Check DNS glue and delegation for a domain, flag risky nameserver address gaps, compare public resolver views, and export repair evidence.

Enumerate public DNS records for a domain, hostname, URL, email domain, or IP with resolver evidence, mail checks, DNSSEC clues, and hardening flags.

Check dependency license evidence against allowed, review, and denied policies with SPDX expression triage, scope filters, risk scores, and review queues.

Triage dependency update rows by SemVer, runtime scope, security status, tests, and compatibility, then export owner-review queues and charts.

Create a Diceware passphrase in your browser from EFF long-list rolls, then review entropy, manual dice keys, site policy checks, and roll evidence.

Check a Dockerfile for risky build and runtime defaults, with weighted findings for base images, secrets, users, package hygiene, and release gates.

Check raw email headers in your browser for relay delays, SPF/DKIM/DMARC alignment, ARC context, sender mismatches, and spoof-risk clues.

Inspect image EXIF metadata locally, flag GPS and serial privacy risks, and export a cleaned copy with JPEG edits when supported.

Encrypt or decrypt one local file in your browser with AES-GCM, Argon2id or PBKDF2 settings, recovery metadata, and downloadable audit details.

Hash a local file in your browser, compare MD5, SHA, SHA-3, or RIPEMD-160 digests, and keep a session ledger with salt context.

Analyze firewall deny logs in your browser, group blocked source-service paths, and prioritize watched ports with CIDR direction checks.

Turn firewall flow rows into a review matrix with risk scoring, audit findings, object plans, platform handoff notes, and scope heatmaps.

Review firewall rule inventories for stale, broad, expired, ownerless, or privileged access and produce an evidence-backed cleanup queue.

Find shadowed firewall rules in ordered ACL exports, compare full and partial overlaps, flag object warnings, and prioritize cleanup work.

Generate HMAC signatures in your browser from text or local files, with SHA, RIPEMD, legacy MD5, byte encodings, prefixes, and match checks.

Review pasted HTTP response headers for HSTS, CSP, cookies, CORS, cache, and disclosure risks with scoring and remediation cues.

Identify likely hash formats from pasted values or local text files, with cleanup hints, confidence labels, ambiguity checks, and exportable evidence.

Check a live HTTP URL for response headers, redirect drift, cache rules, cookie flags, CORS exposure, and prioritized hardening fixes.

Analyze IAM policy JSON for wildcard actions, broad resources, sensitive services, and least-privilege findings before approval.

Review IAM policy JSON for wildcard permissions, broad principals, negated allows, exception claims, and remediation steps before approval.

Strip hidden image metadata in your browser, compare source and clean findings, and download a fresh JPEG, PNG, or WebP copy.

Turn incident action rows into an owner follow-up ledger with due-date states, blocker warnings, missing-field checks, and charted workload.

Check a JWT or decoded claims payload for risky issuer, audience, time, header, replay, and data-exposure signals before relying on it.

Decode a compact or Bearer JWT in your browser, inspect readable claims, and review timing, issuer, audience, signature, and sensitive-claim warnings.

Build Kubernetes NetworkPolicy YAML from pod selectors and ingress or egress allow rows, with peer checks, rollout commands, and a flow map.

Check Kubernetes workload YAML for risky securityContext settings, inherited pod defaults, Pod Security blockers, and remediation patch cues.

Validate an email domain's MTA-STS TXT record, HTTPS policy, cache window, MX coverage, and policy-host certificate before enforce mode.

Size a NAT/SNAT pool from public IPs, user fan-out, reserves, growth, and hot-destination pressure with capacity charts and warnings.

Check domain nameserver health with resolver comparison, glue and public-address checks, SOA timer review, DNSSEC clues, and repair steps.

Turn network audit findings into a prioritized register with owner queues, evidence gaps, escalation status, charts, and export-ready brief wording.

Compare registered OAuth redirect URIs with observed requests, then flag exact-match drift, wildcard scope, fragments, and open-redirect clues.

Build an OpenVPN client profile from endpoint, routing, authentication, cipher, TLS, and certificate choices with review warnings before import.

Generate local PDF open and owner passwords, check entropy, map permission flags, and export redacted handoff notes for later encryption work.

Protect a PDF in your browser with open and owner passwords, qpdf AES encryption, permission profiles, metadata handling, and verification checks.

Plan PDF redactions in your browser, scan selectable text for targets, flag hidden-data risks, and export evidence without creating a redacted file.

Unlock an owner-approved PDF in your browser with a known password or empty-user restriction setting, then download a locally verified copy.

Extract PEM blocks from pasted text or files, separate certificates, CSRs, keys, and other labels, and record each item with line spans and SHA-256 hashes.

Check a password in your browser, compare login and breach crack-time estimates, flag common patterns, and get safer upgrade guidance.

Turn port exposure rows into a prioritized review list, highlighting public high-risk services, missing owners, and host cleanup scope.

Clean messy port lists in your browser into TCP/UDP target strings, compact ranges, IANA bands, service warnings, and scan-ready outputs.

Convert Unicode domains and Punycode labels, then check DNS lengths, round trips, script risks, URL parsing, and safe copy targets.

Generate FreeRADIUS client blocks from NAS rows with local secret generation, address validation, hardening directives, and deployment review.

Estimate RADIUS request load from access events, accounting updates, retransmits, and server budgets, then compare active-pool and N-1 capacity.

Convert RSA keys between PKCS#1, PKCS#8, encrypted private, and public PEM wrappers with local parsing and fingerprint checks.

Compare DNS-over-HTTPS resolver answers across open, threat-filtered, and family-filtered profiles to spot policy splits, zero-sinks, and DNSSEC drift.

Check reverse DNS for an IP or hostname, confirm PTR names resolve forward, compare public resolvers, and spot stale records.

Check an S3 bucket policy for public, cross-account, and service-principal exposure with severity findings and remediation cues.

Check SAML assertion timing from XML or encoded captures, compare clock skew and bearer expiry, and export audit evidence for SSO review.

Validate SAML metadata XML for entity IDs, SP or IdP roles, endpoint policy, certificate expiry, signature presence, and import blockers.

Analyze SARIF logs for release-gate findings, priority rows, rule and file hotspots, severity charts, and fingerprint coverage warnings.

Review CycloneDX, SPDX, Syft, or CSV SBOM evidence, rank component risk, and separate vulnerability, license, and identity review work.

Look up SMIMEA or OPENPGPKEY DNS records for a mailbox, check the derived owner name, and compare DNSSEC resolver evidence with payload clues.

Build an SPF TXT record from sender inventory, provider includes, IP ranges, A/MX choices, redirect policy, and lookup-budget warnings.

Check a domain's SPF TXT record, count DNS lookup risk, trace includes and redirects, and export clear validation notes for mail setup reviews.

Check SSH algorithm evidence against modern, compatibility, or legacy-exception policies with scorecard findings and config patch cues.

Match a TLS leaf certificate to a candidate issuer CA, then review signature proof, DN alignment, CA status, expiry risk, and trust score.

Check a live host or pasted PEM certificate chain for missing issuers, hostname mismatch, expiry risk, weak crypto, and install-ready PEM.

Check a public hostname's TLS posture with SSL Labs grades, trust-path gaps, legacy protocol flags, expiry risk, and a prioritized fix queue.

Check SSL/TLS certificate expiry from a live host, with renewal timing, SAN coverage, issuer, serial number, and fingerprint evidence.

Match a TLS certificate to its CSR or RSA private key in your browser with SPKI pins, chain warnings, encrypted-key support, and exports.

Check OCSP revocation status for a public TLS host or pasted certificate, with responder timestamps, warnings, and replay evidence.

Check Set-Cookie headers for SameSite delivery, Secure pairing, prefix rules, and flow risks before SSO, payments, or embeds fail.

Scan configs, logs, and support snippets for secret-like keys, then review masked evidence, provider-pattern hits, entropy cues, and rotation steps.

Generate a random password in your browser, tune allowed characters, and compare entropy, crack-time, zxcvbn strength, and history.

Convert one SSH public key between OpenSSH, SSH2, and PEM in the browser, then compare SHA-256 fingerprints, comments, and warnings.

Extract an SSH public key in your browser from private-key text or public lines, then check fingerprints and build authorized_keys entries.

Convert PEM, DER, P7B, and PFX certificates in your browser, inspect chain and expiry details, and catch key issues before download.

Decode SSL certificates from PEM, DER, or PKCS#7 in your browser, with SAN coverage, validity, fingerprints, usage, and chain checks.

Trace a live TLS endpoint, check the negotiated protocol and certificate chain, and separate DNS, TCP, and TLS timing problems.

Validate a TLS-RPT DNS record for a mail domain, check report destinations and policy signals, and build a publish-ready TXT snippet.

Encrypt or decrypt private text in your browser with AES-GCM defaults, password stretching, portable envelopes, integrity checks, and byte-size breakdowns.

Hash exact UTF-8 text in your browser, compare SHA-2, SHA-3, MD5, SHA-1, and RIPEMD-160 digests, with salt rules and saved profiles.

Calculate tie-down strap capacity from cargo weight, length, WLL, securement path, blocking, reserve, and minimum-count rules.

Check a suspicious URL against Safe Browsing, SURBL, and local risk signals, then review scope-aware verdicts and follow-up links.

Estimate VPN tunnel user capacity from line rate, packet overhead, peak demand, gateway caps, and MTU limits with tables and a load curve.

Calculate vulnerability remediation SLA due dates from CSV rows, flag overdue or due-soon findings, and build owner-ready queues.

Generate WireGuard server and client configs with peer route checks, a topology preview, placeholder-key warnings, and CSV or DOCX exports.

Build iptables or ip6tables commands from CIDRs, ports, chains, backend choices, and strict review checks before firewall changes.

Turn npm audit JSON or CI text into a release gate, severity ledger, fix-pressure queue, charts, and remediation handoff notes.