security-builders.fyi
A growing toolbox for the security-relevant pieces of a web app you actually have to get right. Pick a tool, build your config, copy it out. No accounts, no uploads — everything runs in your browser.
CSP Builderready
Build, validate, and explain a Content-Security-Policy — then paste a page to see what it would block.
🌐CORS Builderready
Generate a CORS configuration for any server, understand each header, and evaluate whether a request would be allowed.
📝security.txtready
Produce a valid /.well-known/security.txt vulnerability-disclosure file per RFC 9116.
Why another set of tools?
Content-Security-Policy, CORS, and security.txt are easy to get subtly wrong — a stray
'unsafe-inline', a wildcard origin paired with credentials, an expired
disclosure contact. These builders show you the exact config to ship, explain every
directive in plain language, and flag the dangerous combinations before they reach
production.
🛡️ Content-Security-Policy
Assemble directives with live explanations, validate an existing policy, or paste a page's HTML to see exactly which scripts, styles, and resources a policy would block.
🌐 CORS
Generate Access-Control-* headers for nginx, Apache, Caddy, or Express,
and simulate the browser's CORS algorithm against pasted response headers.
📝 security.txt
Fill in the RFC 9116 fields, get validation on required and expiring values, and
download a ready-to-serve /.well-known/security.txt.