Methodology
Exactly how each tool works and where its data comes from.
Security Headers Checker
One GET request is sent to the URL you provide (following redirects). Seven response headers are evaluated with fixed weights: CSP (25), HSTS (20), X-Content-Type-Options (15), X-Frame-Options or CSP frame-ancestors (15), Referrer-Policy (10), Permissions-Policy (10), Server version leakage (5). Pass = full weight, partial/weak = half, missing = zero; grades map A ≥ 90%, B ≥ 75%, C ≥ 55%, D ≥ 35%, else F. The response is graded and discarded — nothing is stored.
DNS Lookup
Queries are forwarded to Cloudflare's public DNS-over-HTTPS resolver (cloudflare-dns.com) and rendered verbatim. The SPF/DMARC check runs two TXT lookups and applies published RFC 7208 / RFC 7489 qualifier semantics — nothing more.
CVE Lookup
Data comes from the NIST National Vulnerability Database 2.0 API, cached at the edge for 24 hours. We show NVD's own CVSS metrics, CISA KEV fields, CWE weaknesses, and references — never our own scores.
Client-side tools (JWT, Decoder Toolbox, Email Header Analyzer)
These run entirely in your browser using standard APIs (TextEncoder/TextDecoder, WebCrypto digest, atob/btoa). Your input is never transmitted — verify with your browser's network inspector. The email analyzer parses RFC 5322 headers and reports mismatches and Authentication-Results verdicts; it does not and cannot declare a message safe.
Limits, honestly
A header grade is not a security audit. A DNS answer is one resolver's view. A decoded JWT is not a validated one. Each tool states its own limits on its page; if a result seems surprising, verify with a second source.