Built for hackers,
free for everyone.

▶ Why HexScan exists

Security tools are scattered across dozens of different websites. Some require registration. Others are behind paywalls. Many are cluttered with ads that slow the page to a crawl, or redirect you to sketchy third-party services before you can run a single query.

Every developer who does any kind of security work — whether that's checking a password generator before deploying it, verifying HTTP headers on a production server, or auditing a site for exposed directories — needs a fast, clean, reliable toolkit they can trust. That toolkit shouldn't require a subscription.

HexScan exists to solve this. One URL. Eight tools. No friction. Built by a developer who needed exactly this and couldn't find it anywhere.

▶ Who is HexScan for?

HexScan was designed with three types of users in mind:

Developers — who need to quickly verify that their web applications send the right security headers, generate cryptographically strong passwords for testing environments, decode JWT tokens during API debugging, or encode/decode Base64 data without installing a local tool.

Security researchers and pentesters — who need fast passive reconnaissance tools (subdomain enumeration, IP analysis, directory exposure scanning) during the early stages of an authorized engagement, without spinning up a full Kali environment for a quick check.

Privacy-conscious users — who want to check whether their email appeared in a known data breach, or verify what information their IP address exposes to websites they visit.

All tools are appropriate for any level — beginners can use them without any technical knowledge, while professionals will appreciate the depth of results and the absence of unnecessary friction.

▶ The 8 tools inside HexScan

Each tool is self-contained, works client-side where possible, and is built for real-world use — not just as a demo.

▶ How the tools work — technical overview

Most HexScan tools run entirely in the browser using vanilla JavaScript. The Password Generator, Base64/JWT Decoder, and CSP Generator perform all computation locally — no network requests are made, and nothing you type leaves your device.

Tools that require external data — the Breach Checker, IP Analyzer, and Subdomain Recon — query public APIs (LeakCheck, crt.sh, HackerTarget, ip-api.com). These APIs are called directly from your browser. HexScan does not proxy these requests through its own servers, which means HexScan never sees the queries you make.

The HTTP Header Analyzer and Directory Exposure Checker use a lightweight Cloudflare Worker as a proxy, because browsers cannot make direct cross-origin requests to arbitrary URLs. The Cloudflare Worker fetches the target URL and returns the response headers — it does not log or store the requests.

The entire codebase is public on GitHub. You are welcome to inspect, fork, or run it locally.

▶ Privacy commitment

HexScan does not use tracking cookies, fingerprinting, or behavioral analytics. There is no user account system, which means there is no database of user activity. The site uses Cloudflare Web Analytics (cookieless, privacy-preserving) to measure basic page views — no personal data is collected.

Google AdSense is used to serve display ads. AdSense may set cookies for ad personalization. You can opt out of personalized advertising via Google's Ad Settings. See the full Privacy Policy for details.

▶ Project history

▶ The developer

▶ Support the project

All HexScan tools are free and will stay free. Running the project has real costs — Cloudflare Workers for API proxying, third-party API access fees, and time spent maintaining and improving tools. If HexScan has saved you time or helped with your work, consider supporting it:

You can also support by starring the GitHub repository, sharing HexScan with your team, or contributing code.