# toolhq > Fast, privacy-first developer and design utilities. Most tools run entirely in your browser — nothing is uploaded. No accounts, no tracking, free forever. The few tools that use the network state exactly where requests go. ## Tools ### Data & Format - [JSON Formatter & Validator](https://www.toolhq.io/tools/json-formatter): Format, validate, and minify JSON with clear error messages and line numbers. - [Number Base Converter](https://www.toolhq.io/tools/base-converter): Convert numbers between binary, octal, decimal, and hexadecimal instantly. - [JSON ↔ CSV Converter](https://www.toolhq.io/tools/json-csv): Convert JSON to CSV and CSV to JSON, with quoted fields and nested values handled. - [Chmod Calculator](https://www.toolhq.io/tools/chmod-calculator): Build Unix file permissions visually and get the octal and symbolic notation for chmod. - [YAML ↔ JSON Converter](https://www.toolhq.io/tools/yaml-json): Convert YAML to JSON and JSON to YAML instantly in your browser. - [JSON ↔ TOML Converter](https://www.toolhq.io/tools/json-toml): Convert JSON to TOML and TOML to JSON instantly in your browser. - [SQL Formatter](https://www.toolhq.io/tools/sql-formatter): Format and beautify SQL queries with dialect and keyword case options. - [JSON to TypeScript](https://www.toolhq.io/tools/json-to-ts): Generate TypeScript interfaces from a JSON sample, with nested types. - [XML Formatter](https://www.toolhq.io/tools/xml-formatter): Format, indent, and minify XML in your browser with clear structure. ### Encode & Decode - [Base64 Encode / Decode](https://www.toolhq.io/tools/base64): Convert text to and from Base64 with correct UTF-8 handling and a URL safe option. - [Hash Generator](https://www.toolhq.io/tools/hash-generator): Generate SHA-1, SHA-256, SHA-384, and SHA-512 hashes of any text, live as you type. - [HTML Entity Encoder / Decoder](https://www.toolhq.io/tools/html-entities): Escape text for safe use in HTML, or decode entities like & back to readable characters. - [HMAC Generator](https://www.toolhq.io/tools/hmac-generator): Compute HMAC-SHA256, SHA-1, or SHA-512 signatures from a message and secret key. - [Encrypt / Decrypt Text](https://www.toolhq.io/tools/encrypt-text): Encrypt text with a password using AES-256-GCM, and decrypt it back. Real encryption, fully in your browser. - [Image to Base64](https://www.toolhq.io/tools/image-base64): Convert an image to a Base64 data URI and back, without uploading the file. ### Generators - [UUID & Token Generator](https://www.toolhq.io/tools/uuid-generator): Generate v4 UUIDs in bulk and secure random tokens with custom length and character sets. - [Cron Generator](https://www.toolhq.io/tools/cron-generator): Build cron expressions from presets, see them explained in plain English, and preview the next run times. - [Lorem Ipsum Generator](https://www.toolhq.io/tools/lorem-ipsum): Generate placeholder text by the paragraph, sentence, or word, ready to paste into any design or layout. - [Password Strength Analyzer](https://www.toolhq.io/tools/password-strength): Check how strong a password really is: entropy, character variety, and estimated time to crack. - [TOTP Code Generator](https://www.toolhq.io/tools/otp-generator): Generate time based one time passwords (TOTP) from a secret key, the same codes your authenticator app shows. - [QR Code Generator](https://www.toolhq.io/tools/qr-generator): Generate a QR code from text or a URL, entirely in your browser, and download it. ### Text - [Regex Tester](https://www.toolhq.io/tools/regex-tester): Test regular expressions against sample text with live match highlighting and capture groups. - [Case Converter & Slugify](https://www.toolhq.io/tools/case-converter): Convert text between camelCase, snake_case, kebab-case, Title Case, and generate URL slugs. - [Text Diff Checker](https://www.toolhq.io/tools/diff-checker): Compare two blocks of text line by line and see exactly what was added, removed, or unchanged. - [Text Statistics & Word Counter](https://www.toolhq.io/tools/text-statistics): Count characters, words, sentences, and paragraphs, with reading time and word frequency. - [Markdown Previewer](https://www.toolhq.io/tools/markdown-preview): Write Markdown and see the rendered result and HTML, live in your browser. ### Web & Network - [JWT Decoder](https://www.toolhq.io/tools/jwt-decoder): Decode JWT headers and payloads, inspect claims, and check expiry. Decode only, nothing is sent anywhere. - [User-Agent Parser](https://www.toolhq.io/tools/user-agent-parser): Parse any user agent string into browser, engine, OS, device, and CPU details. - [API Tester](https://www.toolhq.io/tools/api-tester): Send REST requests from your browser, import or copy as cURL, and inspect the status, headers, timing, and response body. - [Webhook Inspector](https://www.toolhq.io/tools/webhook-inspector): Get a unique URL, point a webhook at it, and inspect every request it receives in real time. - [URL Encoder & Parser](https://www.toolhq.io/tools/url-tools): Encode and decode URL components, and break any URL into protocol, host, path, and query parameters. - [Timestamp Converter](https://www.toolhq.io/tools/timestamp-converter): Convert Unix timestamps to readable dates and back, with a live current timestamp and timezone support. - [HTTP Status Codes](https://www.toolhq.io/tools/http-status-codes): Searchable reference of every HTTP status code with what it means and when to use it. - [MIME Type Lookup](https://www.toolhq.io/tools/mime-types): Find the right MIME type for any file extension, or look up which extensions a MIME type covers. - [IPv4 Subnet Calculator](https://www.toolhq.io/tools/subnet-calculator): Enter an IP and CIDR prefix to get the network address, broadcast, host range, and subnet mask. - [IP Address Lookup](https://www.toolhq.io/tools/ip-lookup): See your public IP address and look up location, ISP, and timezone details for any IP. - [VPN & Proxy Detector](https://www.toolhq.io/tools/vpn-detector): Check whether an IP address is a VPN, proxy, Tor exit, or datacenter, with the signals behind the verdict. - [Open Graph Meta Generator](https://www.toolhq.io/tools/og-meta-generator): Fill in your page details and get the complete Open Graph and Twitter card meta tags, ready to paste. - [HTTP Header Checker](https://www.toolhq.io/tools/http-headers): Fetch a URL from the server, follow redirects, and inspect response and security headers. - [Nginx Config Generator](https://www.toolhq.io/tools/nginx-config-generator): Generate nginx server blocks for reverse proxy, static sites, SSL, load balancing, and WebSockets. - [VPN Config Generator](https://www.toolhq.io/tools/vpn-config-generator): Generate VPN configs with config file, plain text summary, and QR code for WireGuard, OpenVPN, IKEv2, and more. ### Email & DNS - [MX Lookup](https://www.toolhq.io/tools/mx-lookup): Look up a domain's mail (MX) servers in priority order, with their IP addresses. - [DNS Lookup](https://www.toolhq.io/tools/dns-lookup): Query A, AAAA, MX, TXT, NS, SOA, CNAME, and CAA records for any domain. - [DNS Propagation Checker](https://www.toolhq.io/tools/dns-propagation): Check whether a DNS record has propagated by querying it against multiple public resolvers at once. - [Blacklist Check](https://www.toolhq.io/tools/blacklist-check): Check an IP address or domain against major email DNS blacklists (DNSBLs). - [Email Health (SPF, DKIM, DMARC)](https://www.toolhq.io/tools/email-health): Check a domain's SPF, DKIM, and DMARC records plus its MX, with plain-English notes. - [Email Header Analyzer](https://www.toolhq.io/tools/email-header-analyzer): Trace the delivery path, read SPF, DKIM, and DMARC verdicts, and spot spoofing signs in raw email headers. Parsed entirely in your browser. - [DMARC Report Viewer](https://www.toolhq.io/tools/dmarc-report-viewer): Read DMARC aggregate XML reports in your browser. Upload the .xml, .gz, or .zip attachment and see who passes and fails. - [Reverse DNS (PTR Lookup)](https://www.toolhq.io/tools/reverse-dns): Look up PTR records for an IP address and see the associated hostnames. - [Domain Registration Lookup](https://www.toolhq.io/tools/domain-lookup): Look up domain registration dates, registrar, nameservers, and status via RDAP. - [SPF Record Generator](https://www.toolhq.io/tools/spf-generator): Build a valid SPF TXT record from includes, IP addresses, and an all mechanism. - [DMARC Record Generator](https://www.toolhq.io/tools/dmarc-generator): Build a DMARC TXT record for _dmarc with policy, reporting, and alignment options. - [DKIM Record Generator](https://www.toolhq.io/tools/dkim-generator): Generate an RSA key pair and DKIM DNS TXT record locally in your browser. - [BIMI Record Checker](https://www.toolhq.io/tools/bimi-checker): Look up a domain's BIMI TXT record for brand logo and authority evidence URLs. ### SSL & Certificates - [SSL Checker](https://www.toolhq.io/tools/ssl-checker): Inspect a host's TLS certificate chain, expiry, trust, protocol, and hostname match. - [SSL & CSR Decoder](https://www.toolhq.io/tools/ssl-decoder): Paste a PEM certificate or CSR and read subject, issuer, validity, SANs, and fingerprints locally. - [Key Matcher](https://www.toolhq.io/tools/key-matcher): Check whether a PEM private key matches a certificate. The key never leaves your browser. - [CA Matcher](https://www.toolhq.io/tools/ca-matcher): Verify that a CA certificate signed an end-entity certificate. Parsed locally in your browser. - [CSR Generator](https://www.toolhq.io/tools/csr-generator): Generate an RSA private key and certificate signing request (CSR) locally in your browser. - [RSA Key Converter](https://www.toolhq.io/tools/rsa-key-converter): Convert RSA private and public keys between PKCS#1, PKCS#8, SPKI, and DER base64 locally. - [Bulk SSL Checker](https://www.toolhq.io/tools/bulk-ssl-checker): Check TLS certificates for up to 20 hostnames at once and compare expiry and trust. - [CT Log Lookup](https://www.toolhq.io/tools/ct-log-lookup): Search public Certificate Transparency logs for certificates issued to a domain. - [SSL Converter](https://www.toolhq.io/tools/ssl-converter): Convert PEM certificates and keys to PKCS#12 or PKCS#7, or extract PEM from a PKCS#12 file locally. - [OCSP Checker](https://www.toolhq.io/tools/ocsp-checker): Query the OCSP responder listed in a certificate to see if it is good, revoked, or unknown. - [Alt DCV Checker](https://www.toolhq.io/tools/alt-dcv-checker): Look up common DNS domain control validation records used during certificate issuance. ### Design - [Color Converter & Contrast Checker](https://www.toolhq.io/tools/color-tools): Convert between HEX, RGB, and HSL, and check WCAG contrast for any two colors. - [CSS Gradient Generator](https://www.toolhq.io/tools/css-gradient): Build linear and radial CSS gradients visually and copy the code. - [Cubic Bezier Generator](https://www.toolhq.io/tools/cubic-bezier): Design CSS cubic-bezier easing curves visually and copy the value. ## Articles - [ERR_SSL_VERSION_OR_CIPHER_MISMATCH: what it means and how to fix it](https://www.toolhq.io/blog/fix-err-ssl-version-or-cipher-mismatch): Chrome throws ERR_SSL_VERSION_OR_CIPHER_MISMATCH when the browser and server share no common TLS version or cipher. The usual causes and the fixes. - [We checked SPF and DMARC on 21 well-known SaaS domains: here's what we found](https://www.toolhq.io/blog/saas-email-security-study-spf-dmarc): A reproducible snapshot of the email authentication posture of 21 well-known SaaS companies. Everyone publishes SPF and DMARC, but a quarter still stop short of enforcement. - [DMARC p=reject is bouncing legitimate email: how to find and fix the gap](https://www.toolhq.io/blog/dmarc-reject-bouncing-legitimate-email): When you move DMARC to p=reject, real mail can start bouncing because a sending source was never aligned. How to find the source and fix it without disabling DMARC. - [DNS propagation explained: why your change isn't live everywhere yet](https://www.toolhq.io/blog/dns-propagation-explained): Why a DNS change shows up in some places before others, how TTLs control the delay, and how to read a propagation checker when resolvers disagree. - [How VPN and proxy detection works (and why you got flagged)](https://www.toolhq.io/blog/how-vpn-and-proxy-detection-works): What a VPN detector actually checks: ASN and datacenter ranges, known provider lists, protocol probes, and reputation signals, plus how to read a verdict and dispute a false positive. - [SPF PermError: too many DNS lookups, and how to get back under 10](https://www.toolhq.io/blog/spf-permerror-too-many-dns-lookups): SPF allows a maximum of 10 DNS lookups. Cross it and your record returns PermError and stops authenticating mail. How to count, flatten, and stay under the limit. - [NET::ERR_CERT_AUTHORITY_INVALID: why the browser does not trust your certificate](https://www.toolhq.io/blog/fix-net-err-cert-authority-invalid): Chrome shows NET::ERR_CERT_AUTHORITY_INVALID when it cannot build a trusted path to a root CA. Self-signed certs, missing intermediates, and untrusted roots explained. - [DKIM signature did not verify: the causes, in order of likelihood](https://www.toolhq.io/blog/dkim-signature-did-not-verify): A DKIM signature fails for a handful of concrete reasons: a missing or wrong public key, body changes in transit, the wrong selector, or a key that is too short. How to find which. - [toolhq vs FreeFormatter: formatting XML and more in the browser](https://www.toolhq.io/blog/toolhq-vs-freeformatter): FreeFormatter is a broad, long running set of formatters and validators. toolhq does the common XML and JSON jobs entirely in your browser. A fair, focused comparison. - [What's inside a CSR, byte by byte](https://www.toolhq.io/blog/whats-inside-a-csr-byte-by-byte): A certificate signing request is a small ASN.1 structure: a subject, a public key, optional attributes, and a self-signature. A field-by-field walk through what it contains and why. - [toolhq vs regex101: quick regex testing vs a full debugger](https://www.toolhq.io/blog/toolhq-vs-regex101): regex101 is a best in class regex debugger with explanations and multiple flavors. toolhq is for fast, distraction free testing. Here is when to reach for each one. - [Reverse DNS and PTR records explained](https://www.toolhq.io/blog/reverse-dns-and-ptr-records): Reverse DNS maps an IP address back to a hostname using PTR records. Learn the in-addr.arpa zone, why mail servers check it, and how FCrDNS works. - [Fixing SSL certificate chain errors: valid in the browser, broken everywhere else](https://www.toolhq.io/blog/fix-ssl-certificate-chain-errors): Why a site can look fine in Chrome while curl fails with unable to get local issuer certificate: missing intermediates, AIA fetching, and the fullchain.pem fix. - [How to read email headers: tracing a message hop by hop](https://www.toolhq.io/blog/how-to-read-email-headers): Where to find raw headers in Gmail, Outlook, and Apple Mail, how to read the Received chain from the bottom up, and what Authentication-Results actually proves. - [SPF, DKIM, and DMARC explained: what each one actually verifies](https://www.toolhq.io/blog/spf-dkim-dmarc-explained): What SPF, DKIM, and DMARC each prove, why no single one stops spoofing on its own, the record mistakes that break delivery, and a minimal correct setup. - [toolhq vs jwt.io: decoding tokens without sending them anywhere](https://www.toolhq.io/blog/toolhq-vs-jwt-io): How toolhq's JWT decoder compares to jwt.io. Both decode in the browser, both are free, and one rule matters most: never paste a production token into a tool you do not trust. - [Understanding DMARC aggregate reports: what the XML is telling you](https://www.toolhq.io/blog/understanding-dmarc-aggregate-reports): Why DMARC rua reports arrive as zipped XML, how to read the records inside, what alignment actually means, and when it is safe to move from p=none to reject. - [HTML entities: when and how to encode them](https://www.toolhq.io/blog/html-entities-encode-and-decode): Which characters must be escaped in HTML, named versus numeric entities, how encoding prevents broken markup and a class of XSS, and when you can skip it. - [Common MIME types every developer should know](https://www.toolhq.io/blog/common-mime-types-reference): A clear reference to MIME types: what they are, how the Content-Type header works, the charset parameter, and why the wrong type breaks downloads and rendering. - [toolhq vs IT Tools: two browser-first toolboxes compared](https://www.toolhq.io/blog/toolhq-vs-it-tools): IT Tools is an excellent open source, self hostable toolbox. toolhq is a polished hosted set. An honest comparison through the lens of UUID and token generation. - [How to format SQL queries for readability](https://www.toolhq.io/blog/format-sql-queries-for-readability): Why consistent SQL formatting speeds up review and debugging, the conventions worth adopting, and a before and after example that changes only whitespace, not results. - [Encrypting text in your browser with AES](https://www.toolhq.io/blog/encrypt-text-in-the-browser): What AES encryption actually protects, why your passphrase carries the security, and how client side encryption keeps plaintext off every server you touch. - [Unix timestamps and epoch time explained: seconds, milliseconds, and the 2038 problem](https://www.toolhq.io/blog/unix-timestamp-epoch-time-explained): What a Unix timestamp actually counts, why some are ten digits and some are thirteen, how time zones fit in, and the gotchas that cause off-by-1000 and off-by-a-lifetime bugs. - [CIDR notation and subnetting explained: what /24 actually means](https://www.toolhq.io/blog/cidr-notation-and-subnetting-explained): How to read CIDR notation, work out how many addresses a subnet holds, find the network and broadcast addresses, and stop guessing when you write a firewall or VPC rule. - [toolhq vs CyberChef: when you want simple over a full workbench](https://www.toolhq.io/blog/toolhq-vs-cyberchef): CyberChef is a powerful client side workbench for chained operations. toolhq is for the quick single task. Here is when each one is the right call. - [How to verify webhook signatures with HMAC](https://www.toolhq.io/blog/verify-webhook-signatures-with-hmac): Webhook endpoints are public, so anyone can POST to them. Learn how HMAC signatures prove a payload came from the real provider and how to verify them. - [CSS easing and cubic-bezier curves, made intuitive](https://www.toolhq.io/blog/css-easing-and-cubic-bezier-curves): What an easing function is, what the built-in keywords actually do, and how the four numbers in cubic-bezier map to a curve, including overshoot with values above one. - [Understanding chmod and Unix file permissions: what 755 and 644 actually mean](https://www.toolhq.io/blog/understanding-chmod-and-unix-permissions): How Unix permissions are structured, how to read and write the octal numbers behind chmod, and the safe defaults for files, scripts, directories, and SSH keys. - [Converting between binary, hex, and decimal](https://www.toolhq.io/blog/convert-between-binary-hex-and-decimal): Understand number bases the practical way: how binary, hex, and decimal relate, why hex maps cleanly onto bytes, and how to convert by hand reliably. - [How to format JSON without uploading it anywhere](https://www.toolhq.io/blog/format-json-without-uploading-it): Most online JSON formatters upload what you paste. Here is how to format and validate JSON locally, why it matters for secrets, and how to verify nothing leaves your browser. - [How TOTP authenticator codes work: the math behind the 6 digits](https://www.toolhq.io/blog/how-totp-authenticator-codes-work): Why the codes in Google Authenticator and Authy change every 30 seconds, how the server verifies them offline, and what the QR code you scan actually contains. - [toolhq vs CodeBeautify: a privacy-first take on online dev tools](https://www.toolhq.io/blog/toolhq-vs-codebeautify): How toolhq and CodeBeautify compare for everyday JSON work, where each one fits, and why a browser only formatter changes how your data is handled. - [URL encoding explained: why spaces become %20 and when you need it](https://www.toolhq.io/blog/url-encoding-explained): What percent-encoding is, which characters are reserved, the difference between encodeURI and encodeURIComponent, and how to stop breaking query strings and redirects. - [CSS gradients explained: linear, radial, and conic](https://www.toolhq.io/blog/css-gradients-linear-radial-conic): How linear, radial, and conic gradients work in CSS, from angles and color stops to hard stops for stripes and layering multiple gradients in one background. - [Convert YAML to JSON and back: the rules that trip people up](https://www.toolhq.io/blog/yaml-to-json-and-back): YAML and JSON map onto each other, mostly. The gotchas: indentation, types, the Norway problem, anchors, and multi-document files, with how each one converts. - [How to debug webhooks: see what Stripe, GitHub, and others actually send](https://www.toolhq.io/blog/how-to-debug-webhooks): Webhook integrations fail silently because you cannot see the request. Here is how to capture and inspect real webhook payloads before writing your handler. - [CORS errors explained: why your API request works in curl but fails in the browser](https://www.toolhq.io/blog/cors-errors-explained): The request works in curl and Postman but the browser says CORS error. What CORS actually is, why it exists, and how to fix it on the server. - [How to read an SSL certificate: subject, SAN, chain, and expiry](https://www.toolhq.io/blog/how-to-read-an-ssl-certificate): What the fields in a TLS certificate mean, how the chain of trust works, why the SAN matters more than the common name, and how to catch the problems before your users do. - [When to use SHA-256 vs HMAC vs bcrypt](https://www.toolhq.io/blog/sha256-vs-hmac-vs-bcrypt): Three things people reach for interchangeably and should not. What a hash, a MAC, and a password hash each guarantee, and which to use for integrity, authentication, and storing passwords. - [What is actually inside a JWT, and why you can read it without the secret](https://www.toolhq.io/blog/what-is-inside-a-jwt): JSON Web Tokens look like random strings but they are readable by anyone. What the three parts contain, what the signature does, and what JWTs cannot do. - [How strong is your password really? Entropy explained](https://www.toolhq.io/blog/password-entropy-explained): Password strength is not about symbols, it is about entropy. How entropy is calculated, why length beats complexity, and what crack-time estimates actually mean. - [Generate TypeScript types from JSON: stop hand-writing interfaces](https://www.toolhq.io/blog/generate-typescript-types-from-json): Why turning a real API response into TypeScript interfaces beats writing them by hand, how optional and nullable fields are inferred, and where generated types still need a human. - [What every HTTP status code actually means](https://www.toolhq.io/blog/http-status-codes-explained): A practical guide to HTTP status codes by class: when to send each common one, the ones people misuse (401 vs 403, 400 vs 422), and what clients should do with them. - [How to safely share logs and API keys in a bug ticket](https://www.toolhq.io/blog/share-logs-and-api-keys-safely): Pasting logs into a ticket leaks tokens, emails, and internal hosts. How to redact sensitive values consistently before you share, and what attackers do with what leaks. - [camelCase, snake_case, kebab-case, PascalCase: which goes where](https://www.toolhq.io/blog/naming-conventions-camelcase-snakecase-kebabcase): A practical guide to the naming conventions you meet daily, why each ecosystem settled on its own, and how to convert between them without introducing bugs. - [Reading a user-agent string: a field-by-field guide](https://www.toolhq.io/blog/reading-a-user-agent-string): User-agent strings look like noise but follow a pattern. How to read browser, engine, OS, and device out of one, and why they are full of legacy lies. - [JSON to CSV: turn an API response into a spreadsheet](https://www.toolhq.io/blog/json-to-csv-api-to-spreadsheet): How to convert a JSON array into clean CSV for Excel or Sheets, including the escaping rules and what happens to nested objects and missing fields. - [How to fix "Unexpected token" JSON errors](https://www.toolhq.io/blog/fix-unexpected-token-json-errors): Unexpected token errors mean your JSON breaks one of five rules. Here is how to find the exact character that breaks parsing and fix it fast. - [Generate QR codes that never leave your browser](https://www.toolhq.io/blog/generate-qr-codes-in-your-browser): Most QR generators send your URL to a server and some add tracking redirects. How client-side QR generation works and why it matters for private links. - [Open Graph tags: how to control how your links look when shared](https://www.toolhq.io/blog/open-graph-tags-for-link-previews): The handful of meta tags that decide the title, description, and image when your page is shared on Slack, X, LinkedIn, and iMessage, plus the image rules that actually matter. - [Markdown to HTML: a practical reference](https://www.toolhq.io/blog/markdown-to-html-reference): The Markdown syntax that converts cleanly to HTML, the parts that vary between flavors, and how to preview the rendered output as you write. - [Cron expressions explained with 12 real examples](https://www.toolhq.io/blog/cron-expression-examples): Cron syntax in five minutes: what each field means, 12 copy paste examples from every minute to quarterly, and the day-of-week trap everyone hits. - [UUID v4 vs v7: which should you use for database keys?](https://www.toolhq.io/blog/uuid-v4-vs-v7-database-keys): Random UUIDs fragment database indexes, time ordered ones do not. When v4 is fine, when v7 is better, and why auto increment integers still have a place. - [Regex lookahead and lookbehind, explained simply](https://www.toolhq.io/blog/regex-lookahead-lookbehind): Lookarounds let a regex check what comes before or after a match without consuming it. The four types, real examples, and when not to use them. - [DNS records explained: A, AAAA, CNAME, MX, TXT, and NS](https://www.toolhq.io/blog/dns-records-explained): What each DNS record type does, how to check them, and how to debug the classic problems: propagation delays, wrong CNAMEs, and failing email. - [WCAG color contrast: what AA and AAA actually require](https://www.toolhq.io/blog/wcag-color-contrast-requirements): The contrast ratios WCAG requires for text, what counts as large text, which elements are exempt, and how to check your colors in seconds. - [Base64 is not encryption: what it is and when to use it](https://www.toolhq.io/blog/base64-is-not-encryption): Base64 hides nothing. What encoding actually does, where Base64 shows up in web development, and the security mistakes it causes. ## Pages - [All tools](https://www.toolhq.io/tools) - [Blog](https://www.toolhq.io/blog) - [About](https://www.toolhq.io/about) - [Privacy](https://www.toolhq.io/privacy) - [Sitemap](https://www.toolhq.io/sitemap.xml)