Updates, new tool releases, DevOps tips and the engineering decisions behind DevOpsArsenal.
The most common way developers expose secrets is a Git commit. GitGuardian detected 12 million hardcoded secrets in public GitHub repos in 2023. This guide covers gitignore rules, startup validation, secret managers, and the .env patterns every team should follow.
Read full article โWhat is the difference between a SEV1 and a SEV2? This guide explains the full SEV0โSEV5 framework with real examples, response time expectations, escalation paths, and a free severity matrix calculator for on-call teams.
Read full article โThere are four main rate limiting algorithms and choosing the wrong one causes real problems โ either you throttle legitimate users or let bursts overwhelm your backend. Includes burst limit formula, HTTP 429 headers, and retry-with-jitter code.
Read full article โStop tabbing between three browser windows of documentation. This side-by-side cheat sheet puts the most common AWS, GCP, and Azure CLI commands in one place โ compute, storage, IAM, and logging โ with a free cloud CLI command builder.
Read full article โAverage API response time hides your worst user experiences entirely. Learn what P50, P90, and P99 latency percentiles actually mean, how to calculate them from raw data, and why SRE teams set SLOs on P99 โ not the mean.
Read full article โLearn how to mask PII, API keys, and secrets from application logs before they reach Splunk, ELK, or Datadog. Includes regex patterns for Node.js, Python, Fluent Bit and Logstash โ plus a free browser-based log masker tool.
Read full article โWe are launching DevOpsArsenal โ a collection of 50 free tools built specifically for DevOps engineers, cloud architects and developers. Every tool runs 100% in your browser. No signup, no backend, no data collection.
Most online developer tools have at least one of these problems: they require signup, they send your data to a server, they are slow and bloated with ads, or they charge for basic features. We wanted tools that just work โ paste input, get output, copy and go.
50 tools across 6 categories:
Every tool is a single HTML file with embedded CSS and JavaScript. No build step, no npm, no frameworks. We use the browser's native Web Crypto API for all cryptographic operations (hashing, HMAC, key generation) instead of custom implementations. The only external dependency is forge.js for X.509 certificate parsing in the SSL Inspector.
The entire site is static and deployed on Netlify CDN with Brotli compression, achieving sub-200ms page loads globally. Average page transfer size is approximately 11KB.
The architectural decision behind making every tool run in the browser with zero server-side processing โ and how it affects privacy, performance, cost and developer trust.
When you paste a JWT token or API key into a server-side tool, you are trusting that server not to log, store or transmit your secrets. Most developers do this dozens of times a day without thinking. We decided to eliminate that trust requirement entirely.
Every DevOpsArsenal tool processes data using JavaScript running in your browser tab. The browser's sandboxed environment ensures your data stays in memory only for the current session. When you close the tab, it is gone.
For cryptographic operations, we use crypto.subtle (the Web Crypto API) which provides hardware-accelerated, timing-attack-resistant implementations of SHA-256, SHA-512, HMAC, RSA key generation and more. This is the same API that password managers and banking sites use.
No server round-trips means instant results. Our hash generator computes SHA-256 in under 1ms for typical inputs. CIDR calculations, regex matching, JSON formatting โ all happen at native speed in the browser's V8 engine. No loading spinners, no "processing" delays.
With zero server-side compute, our hosting cost is effectively zero (Netlify's free tier handles static file serving). This means we can offer all 50 tools free forever โ there are no compute costs that scale with usage.
Common JWT implementation mistakes we see in the tokens people decode with our JWT tool โ and how to avoid them in your own applications.
If your JWT library accepts alg: none, an attacker can forge any token by simply removing the signature. Always validate the algorithm server-side and reject unsigned tokens.
JWT payloads are Base64-encoded, not encrypted. Anyone with the token can decode it. Never put passwords, API keys, or sensitive PII in JWT claims. Use encrypted JWE if you need confidential claims.
exp claim)A JWT without an expiry is valid forever โ even after the user changes their password. Always set short-lived tokens (15-60 minutes for access tokens) with refresh token rotation.
Using a short string like secret or password123 as your HMAC key means it can be brute-forced. Use at least 256 bits (32 bytes) of cryptographic randomness. Better yet, use RS256 with an RSA key pair.
If you accept tokens from any issuer (iss claim), an attacker with their own JWT signing key can mint valid tokens. Always validate iss, aud and sub claims against expected values.
Try our JWT Decoder to inspect your tokens and check for these issues.
A quick reference for the essential security headers that should be on every production web server โ and how to set them up in Nginx, Apache and Netlify.
Controls which resources the browser is allowed to load. Prevents XSS by blocking inline scripts and unauthorized external sources. Start with default-src 'self' and whitelist what you need.
Forces browsers to always use HTTPS. Set max-age=31536000; includeSubDomains; preload and submit to the HSTS preload list for maximum protection.
Set to nosniff to prevent browsers from MIME-sniffing a response away from the declared Content-Type. Stops attackers from disguising executable content as images.
Set to DENY or SAMEORIGIN to prevent your site from being embedded in iframes โ the primary defence against clickjacking attacks.
Controls how much referrer information is shared with other sites. strict-origin-when-cross-origin is a good default โ shares origin for cross-site requests but full URL for same-origin.
Disables browser features you do not use: camera=(), microphone=(), geolocation=(). Reduces attack surface by preventing malicious scripts from accessing sensitive APIs.
Check our HTTP Headers Reference for the full list with examples.
The most-referenced CIDR table for cloud networking โ subnet mask, usable hosts and common cloud use cases for every prefix from /8 to /32.
| CIDR | Mask | Hosts | Use Case |
|---|---|---|---|
| /8 | 255.0.0.0 | 16.7M | AWS VPC max, Class A |
| /16 | 255.255.0.0 | 65,534 | Large VPC, AWS default |
| /20 | 255.255.240.0 | 4,094 | Large subnet, K8s nodes |
| /24 | 255.255.255.0 | 254 | Standard subnet, most common |
| /28 | 255.255.255.240 | 14 | Small ELB subnet, NAT gateway |
| /32 | 255.255.255.255 | 1 | Single host, security group rule |
Use our CIDR Calculator for instant subnet calculations.