Security

Plan a secret rotation with staged cutover timing, validation gates, risk scoring, and exportable change evidence without pasting credentials.

Build an Apache .htaccess draft for redirects, headers, caching, CORS, and access rules with warnings and copy-ready output before staging.

Calculate IPv4 ACL wildcard masks from CIDR, subnet, host, or any entries, then review ACE lines, match size, overlaps, and broad matches.

Check whether an ACME DNS-01 challenge is ready, with TXT matching, delegation-route checks, resolver comparison, and retry timing.

Check ACME HTTP-01 retry readiness by testing the host, token body, redirects, IPv6, cache, CDN or WAF, and backend sync evidence.

Generate API keys in your browser with public lookup IDs, entropy targets, SHA-256 storage hashes, and sensitive-batch warnings.

Check DNS, CNAME, HTTP, and HTTPS DCV proofs before a certificate retry, with CSR-hash handling, resolver evidence, and mismatch notes.

Analyze audit log exports in your browser, ranking failure bursts, privilege changes, source shifts, and after-hours activity with evidence.

Check pasted BGP AS paths against origin, first-hop, blocked-ASN, regex, length, and prepend rules before changing routing policy.

Generate a BIMI DNS TXT record with logo and evidence URLs, DMARC readiness checks, provider paste steps, charts, and exports.

Validate a domain's BIMI record with DMARC, SVG logo, resolver, and PEM evidence checks, then review readiness scores and fix notes.

Check a mail host or sender IP against DNSBL/RBL lists, separating real listings, policy signals, resolver warnings, and TXT evidence.

Check bulk sender readiness for Gmail, Yahoo, and Outlook with DNS, header, complaint-rate, unsubscribe, and DMARC alignment evidence.

Check a hostname's CAA policy with CNAME and parent-DNS lookup evidence, wildcard rules, issuer findings, and resolver comparison notes.

Review CIDR allowlists for broad source ranges, sensitive ports, stale dates, missing owners, overlaps, and scored cleanup evidence.

Check CORS response headers against origin trust, credentials, caching, exposed headers, and private-network access with scored fixes.

Draft a Content Security Policy header with nonce, hash, or allowlist scripts, directive posture checks, and rollout warnings.

Check a Content-Security-Policy header for risky script rules, missing baseline directives, reporting gaps, and rollout fixes before enforcement.

Review certificate inventory CSV rows in your browser, rank expiry urgency, owner gaps, manual renewal risk, and public TLS lifetime findings.

Plan TLS certificate renewals from population, validity, lead time, spread, daily capacity, retry reserve, and safety buffer before expiry.

Decode a CSR locally, check SAN coverage and key strength, and review signature, fingerprints, expected-host matches, and readiness notes.

Generate an RSA CSR in your browser, review SANs, key usage, fingerprints, and OpenSSL config, then export PEM without sending keys.

Check a TLS certificate fingerprint against public CT data, compare hostname and issuer evidence, and keep revocation or reporting clues in view.

Generate Cisco IPv4 ACL commands from flow rows, with wildcard conversion, sequence planning, expansion checks, and safety review tables.

Analyze container scan output in your browser, normalize vulnerability findings, test release gates, and rank fixable packages for remediation.

Validate DANE TLSA records for mail or TLS services with owner-name routing, DNSSEC AD checks, digest comparison, and readiness scoring.

Generate a DKIM DNS TXT record from a selector, domain, and public key with key-strength checks, split-string guidance, and DNS publish fields.

Validate a DKIM selector in public DNS, inspect the TXT key record, key strength, testing flags, and resolver evidence before troubleshooting mail authentication.

Build a DMARC TXT record with owner labels, policy tags, report URIs, external authorization notes, rollout warnings, and DNS split guidance.

Validate a domain's DMARC record in public DNS, review policy alignment, report destinations, rollout signals, and control scores before enforcement changes.

Build a DNS denial proof for NXDOMAIN or NODATA, separating resolver evidence, NSEC/NSEC3 checks, CD-bypass splits, and retry timing.

Audit DNS glue and delegation for a domain, compare public resolver views, and turn NS address, CNAME, or DS gaps into repair evidence.

Enumerate public DNS records for a domain, URL, email domain, or IP with resolver evidence, mail-auth checks, DNSSEC clues, and action flags.

Check dependency license evidence against allowed, review, and denied policies with SPDX expression triage, scope filters, and action queues.

Triage dependency update rows by SemVer, runtime scope, security status, tests, and compatibility, then export owner-review queues and charts.

Generate a Diceware passphrase from EFF long-list rolls, then check entropy, manual dice evidence, length limits, and site policy fit.

Check a Dockerfile for risky defaults, line-level findings, and release-gate warnings covering base images, secrets, users, packages, and healthchecks.

Check raw email headers in your browser for relay delays, SPF/DKIM/DMARC alignment, ARC context, sender mismatches, and spoof-risk clues.

Inspect image EXIF locally, flag GPS, serial, timestamp, and author risks, then export a stripped or edited JPEG copy when supported.

Encrypt or decrypt a local file in your browser with AES-GCM, Argon2id/PBKDF2 controls, recovery metadata, and audit exports.

Hash a local file in your browser, compare SHA-2, SHA-3, MD5, SHA-1, or RIPEMD-160 digests, and export a session ledger for checks.

Analyze firewall deny logs in your browser, group blocked source-service paths, and prioritize watched ports with CIDR direction checks.

Build a firewall rule matrix from flow rows, with risk scoring, audit findings, object-group planning, platform notes, and a scope heatmap.

Review firewall rules for stale use, broad sources, expired access, missing owners, and privileged services with a scored cleanup queue.

Find shadowed firewall rules in ordered ACL exports, compare full and partial overlaps, and turn risky rule conflicts into a cleanup queue.

Generate HMAC signatures in your browser from text or local files, then compare expected headers with SHA choices and byte encodings.

Check pasted HTTP response headers for HSTS, CSP, cookies, cache, CORS, and disclosure risks with scoring, fix order, and JSON evidence.

Check pasted hashes or local text files for likely formats, cleanup warnings, confidence labels, ambiguity clues, and CSV or JSON evidence.

Check a live URL's HTTP headers, redirect hops, cache semantics, cookies, CORS exposure, and hardening priorities from one report.

Analyze IAM policy JSON for wildcard actions, broad resources, sensitive services, and least-privilege findings before approval.

Check IAM policy JSON for wildcard actions, resources, principals, negated allows, and PassRole exposure with ranked remediation evidence.

Strip image metadata in your browser, re-export a clean JPEG, PNG, or WebP, and compare privacy markers, GPS hints, size, and warnings.

Turn incident action rows into a review ledger with owners, due-date states, blocker checks, missing-field warnings, and workload charts.

Check JWT claims and headers for issuer, audience, time, algorithm, replay, and sensitive-data risks before relying on a token in an API.

Inspect a compact or Bearer JWT locally, read claims, and review timing, issuer, audience, signature, TTL, and sensitive-claim warnings.

Build Kubernetes NetworkPolicy YAML from pod labels and allow rows, with peer syntax checks, rollout commands, review warnings, and a flow map.

Check Kubernetes workload YAML for risky securityContext settings, inherited pod defaults, Pod Security gaps, and remediation patch cues.

Check an email domain's MTA-STS TXT record, HTTPS policy, MX coverage, cache window, and policy-host certificate before enforce mode.

Size a NAT or SNAT pool from public IPs, sessions, reserve, growth, and hot-destination pressure with capacity warnings and charts.

Check a domain's nameserver health with resolver comparison, glue readiness, public-address checks, SOA timers, and repair cues.

Turn network audit findings into a sorted remediation register with escalation status, owner queues, evidence gaps, charts, and report wording.

Check OAuth redirect URI registrations against observed requests, with exact-match drift, wildcard, fragment, HTTP, and open-redirect warnings.

Generate an OpenVPN client profile from endpoint, route, TLS, cipher, and certificate choices, then review import blockers and security warnings.

Plan local PDF open and owner passwords, estimate entropy, map permission flags, and export redacted handoff notes for later encryption.

Protect a PDF in your browser with open and owner passwords, AES encryption choices, permission profiles, local scans, and verification checks.

Plan PDF redactions locally, scan selectable text for targets, flag hidden-data risks, and export handoff evidence before true removal.

Unlock an approved PDF locally with a known open or owner password, check authorization and file evidence, then download a verified copy.

Split PEM bundles into certificates, CSRs, keys, and other BEGIN/END blocks with line spans, byte counts, and SHA-256 checks before export.

Check password strength in your browser, compare login and breach crack-time estimates, flag predictable patterns, and plan safer upgrades.

Summarize port exposure rows into a prioritized review list, flagging public high-risk services, missing owners, and host cleanup scope.

Normalize messy TCP and UDP port lists into compact scanner strings, IANA bands, service-risk cues, and warnings for ranges or bad tokens.

Convert Unicode domains and xn-- Punycode labels in your browser, with DNS length checks, script warnings, and copy-ready forms.

Build FreeRADIUS client stanzas from NAS CSV rows, with secret checks, address-scope warnings, hardening choices, and review output.

Estimate RADIUS requests per second from access, accounting, retries, and failover assumptions, then compare active-pool headroom.

Convert RSA PEM keys between PKCS#1, PKCS#8, encrypted private, and public wrappers with local parsing, fingerprints, and export checks.

Compare DNS-over-HTTPS resolver answers across open, security, and family profiles to spot policy splits, zero-sinks, and DNSSEC drift.

Check reverse DNS for an IP or hostname, verify forward-confirmed PTR names, compare public resolver views, and flag stale or weak records.

Review an S3 bucket policy for public principals, cross-account grants, service trust gaps, and Block Public Access evidence before approval.

Review SAML assertion timing from XML, SAMLResponse, or OAuth assertion captures with skew, bearer-expiry, replay-cache, and session evidence.

Review SAML metadata XML for import blockers, endpoint policy, entity roles, certificate dates, signature presence, and readiness evidence.

Analyze SARIF logs for release-gate findings, priority rows, rule and file hotspots, severity charts, and fingerprint coverage warnings.

Review CycloneDX, SPDX, Syft, or CSV SBOM evidence, rank component risk, and separate vulnerability, license, and identity review work.

Look up SMIMEA or OPENPGPKEY DNS records for a mailbox, derive the owner name, and compare DNSSEC, resolver, and payload evidence.

Build an SPF TXT record from real sender paths, provider includes, IP ranges, A/MX options, redirects, and lookup-budget warnings.

Check a domain's SPF record, trace include and redirect lookup cost, and spot duplicate records, weak endings, or over-limit policies.

Check SSH algorithm lists from configs or scans against a chosen policy, then review blockers, legacy exceptions, and config patch cues.

Check whether a TLS leaf certificate belongs with a candidate issuer CA, with signature proof, DN checks, CA flag status, expiry risk, and policy scoring.

Check a live host or pasted PEM chain for missing issuers, hostname mismatch, expiry risk, weak crypto, and install-ready certificate bundles.

Check a public hostname with SSL Labs evidence, spot weak TLS endpoints, chain gaps, legacy protocols, and renewal risk in a fix queue.

Check a live TLS host for certificate expiry, renewal timing, SAN coverage, issuer, serial, and fingerprints before outages reach users.

Match a TLS certificate against a CSR or RSA private key with SPKI pin comparison, chain warnings, encrypted-key handling, and exportable evidence.

Check OCSP revocation evidence for a public TLS host or pasted certificate, with responder status, freshness timestamps, warnings, and replay text.

Check Set-Cookie headers for SameSite delivery, Secure pairing, prefixes, partitioned cookies, and SSO or embedded-flow breakage.

Scan config, log, and ticket samples for secret-like values with masked findings, provider-pattern hits, entropy scoring, and rotation cues.

Generate account-ready passwords in your browser, tune character rules, and compare entropy, crack-time, zxcvbn strength, and history.

Convert an SSH public key between OpenSSH, SSH2, and PEM in your browser, then compare fingerprints and catch private-key or extra-key mistakes.

Extract a public SSH key from pasted or uploaded key text, compare SHA-256 and MD5 fingerprints, and build a reviewed authorized_keys line.

Convert PEM, DER, P7B, and PFX certificates in your browser, inspect chain expiry and key handling, and download the right artifact.

Decode SSL certificate text or files locally, inspect SAN names, dates, fingerprints, usage fields, and chain entries before deployment checks.

Trace a live TLS endpoint, inspect SNI, ALPN, cipher, certificate chain, and phase timings, and separate DNS, TCP, and TLS failures.

Validate a TLS-RPT record, review rua report destinations and related mail-policy signals, and build a DNS TXT snippet for publishing.

Encrypt or decrypt small text in your browser with AES-GCM, Argon2id or PBKDF2, portable envelopes, integrity checks, and byte-size evidence.

Hash exact UTF-8 text in your browser, compare SHA-2, SHA-3, MD5, SHA-1, or RIPEMD-160 digests, and save exportable comparison records.

Plan tie-down strap capacity from cargo weight, WLL, securement path, blocking, and length rules with weak-link and margin checks.

Check a suspicious URL against Safe Browsing, SURBL, and local URL-shape signals, then review scoped verdicts, coverage gaps, and follow-up links.

Estimate VPN tunnel user capacity from line rate, packet overhead, MTU, peak demand, and gateway caps with load warnings and JSON output.

Calculate vulnerability remediation due dates from CSV findings, apply severity SLAs and exploited caps, and surface overdue or due-soon queues.

Generate WireGuard server and client configs with peer route checks, topology preview, placeholder-key warnings, and review exports.

Build iptables or ip6tables commands with CIDR, port, chain, backend, persistence, and production-review checks before firewall changes.

Turn npm audit JSON or CI text into a release gate, severity ledger, fix-pressure queue, charts, and remediation handoff notes.