FIXSecurity headers (CSP, HSTS, X-Frame-Options) ยท SRI on CDN scripts ยท Performance: font loading, CSS preload, critical inline CSS
May 20, 2025Release
๐ DevOpsArsenal Launches with 50 Free Browser-Based Tools
We are launching DevOpsArsenal โ a collection of 50 free tools built specifically for DevOps engineers, cloud architects and developers. Every tool runs 100% in your browser. No signup, no backend, no data collection.
Why Another Developer Tool Site?
Most online developer tools have at least one of these problems: they require signup, they send your data to a server, they are slow and bloated with ads, or they charge for basic features. We wanted tools that just work โ paste input, get output, copy and go.
Utilities (15): Regex Tester, UUID Generator, Unix Timestamp, Text Case Converter, Word Counter, Duplicate Remover, Markdown Preview, chmod Calculator, URL Encoder, HTML Entity Encoder, Color Converter, Epoch Batch Converter, Regex Library, AI Prompt Library, HTTP Status Code Picker
Technical Architecture
Every tool is a single HTML file with embedded CSS and JavaScript. No build step, no npm, no frameworks. We use the browser's native Web Crypto API for all cryptographic operations (hashing, HMAC, key generation) instead of custom implementations. The only external dependency is forge.js for X.509 certificate parsing in the SSL Inspector.
The entire site is static and deployed on Netlify CDN with Brotli compression, achieving sub-200ms page loads globally. Average page transfer size is approximately 11KB.
May 21, 2025Article
๐ Why We Built Everything Client-Side (And You Should Too)
The architectural decision behind making every tool run in the browser with zero server-side processing โ and how it affects privacy, performance, cost and developer trust.
The Trust Problem
When you paste a JWT token or API key into a server-side tool, you are trusting that server not to log, store or transmit your secrets. Most developers do this dozens of times a day without thinking. We decided to eliminate that trust requirement entirely.
How It Works
Every DevOpsArsenal tool processes data using JavaScript running in your browser tab. The browser's sandboxed environment ensures your data stays in memory only for the current session. When you close the tab, it is gone.
For cryptographic operations, we use crypto.subtle (the Web Crypto API) which provides hardware-accelerated, timing-attack-resistant implementations of SHA-256, SHA-512, HMAC, RSA key generation and more. This is the same API that password managers and banking sites use.
The Performance Benefit
No server round-trips means instant results. Our hash generator computes SHA-256 in under 1ms for typical inputs. CIDR calculations, regex matching, JSON formatting โ all happen at native speed in the browser's V8 engine. No loading spinners, no "processing" delays.
The Cost Benefit
With zero server-side compute, our hosting cost is effectively zero (Netlify's free tier handles static file serving). This means we can offer all 50 tools free forever โ there are no compute costs that scale with usage.
May 21, 2025Tip
๐ก 5 JWT Mistakes That Will Get You Hacked
Common JWT implementation mistakes we see in the tokens people decode with our JWT tool โ and how to avoid them in your own applications.
1. Using "none" Algorithm
If your JWT library accepts alg: none, an attacker can forge any token by simply removing the signature. Always validate the algorithm server-side and reject unsigned tokens.
2. Storing Secrets in the Payload
JWT payloads are Base64-encoded, not encrypted. Anyone with the token can decode it. Never put passwords, API keys, or sensitive PII in JWT claims. Use encrypted JWE if you need confidential claims.
3. No Expiry (exp claim)
A JWT without an expiry is valid forever โ even after the user changes their password. Always set short-lived tokens (15-60 minutes for access tokens) with refresh token rotation.
4. Weak Signing Keys
Using a short string like secret or password123 as your HMAC key means it can be brute-forced. Use at least 256 bits (32 bytes) of cryptographic randomness. Better yet, use RS256 with an RSA key pair.
5. Not Validating the Issuer
If you accept tokens from any issuer (iss claim), an attacker with their own JWT signing key can mint valid tokens. Always validate iss, aud and sub claims against expected values.
Try our JWT Decoder to inspect your tokens and check for these issues.
May 21, 2025Security
๐ The 6 HTTP Security Headers Every Site Needs in 2025
A quick reference for the essential security headers that should be on every production web server โ and how to set them up in Nginx, Apache and Netlify.
1. Content-Security-Policy (CSP)
Controls which resources the browser is allowed to load. Prevents XSS by blocking inline scripts and unauthorized external sources. Start with default-src 'self' and whitelist what you need.
2. Strict-Transport-Security (HSTS)
Forces browsers to always use HTTPS. Set max-age=31536000; includeSubDomains; preload and submit to the HSTS preload list for maximum protection.
3. X-Content-Type-Options
Set to nosniff to prevent browsers from MIME-sniffing a response away from the declared Content-Type. Stops attackers from disguising executable content as images.
4. X-Frame-Options
Set to DENY or SAMEORIGIN to prevent your site from being embedded in iframes โ the primary defence against clickjacking attacks.
5. Referrer-Policy
Controls how much referrer information is shared with other sites. strict-origin-when-cross-origin is a good default โ shares origin for cross-site requests but full URL for same-origin.
6. Permissions-Policy
Disables browser features you do not use: camera=(), microphone=(), geolocation=(). Reduces attack surface by preventing malicious scripts from accessing sensitive APIs.