Benteng, a Web Security Hub in Your Browser. Grade Your Headers, Lint a JWT, Build a CSP, in One Tab.

Most of the free tools that tell you whether your website is configured safely are single-purpose, and some are going quiet. securityheaders.com, the one that popularized the A+ to F grade, is retiring its API in April 2026. Mozilla's HTTP Observatory has no public API. And even at their best, each one does a single job, headers, or a JWT, or a policy, never all three.
So we built Benteng (Indonesian for a fortress or stronghold): a free web-security hub that runs in one browser tab. It does three jobs, grades a site's security posture, inspects a JWT, and works with a Content-Security-Policy, and every finding comes with the exact fix. It is live at palugadahub.com/sec.
The one rule: authorized and defensive use only
Before the features, the boundary. Benteng is a defensive tool. The posture scanner reads a URL's own public response headers, the same ones your browser already receives when it loads the page, and never attacks, probes, or exploits a target. It is SSRF-guarded so it cannot be turned into a proxy for reaching internal systems, and rate-limited so it cannot be turned into a scanner. Only point it at sites you own or are explicitly authorized to test. This is a tool for hardening your own surface and for learning, not for hitting someone else's.
1. Posture scanner: your headers, graded A to F
Paste a URL and Benteng fetches its response headers and scores nine weighted checks into a single grade:
- HTTPS and HSTS, is the site on TLS, and does
Strict-Transport-Securitylock it in with a long enough max-age. - Content-Security-Policy, is there a CSP, and is it weakened by
unsafe-inline,unsafe-eval, or a wildcard source. - Clickjacking, is framing controlled by
frame-ancestorsorX-Frame-Options. - X-Content-Type-Options, is MIME sniffing turned off with
nosniff. - Referrer-Policy and Permissions-Policy, are referrers and browser features locked down.
- Cookie flags, do the Set-Cookie headers carry
Secure,HttpOnly, andSameSite. - Version disclosure, is the server leaking a
Serverversion orX-Powered-Bybanner.
Each check is weighted by how much it matters, and the result is a grade plus a per-check list of what passed, what is weak, and the copy-paste fix. Scan a big site and it is honest, GitHub, for example, grades a B: strong TLS and HSTS, but a CSP that still allows unsafe-inline and a cookie missing HttpOnly. Real findings, not a rubber stamp.
2. JWT inspector: decode and lint, in your browser
Paste a JSON Web Token and Benteng decodes the header and payload and lints them for the classic mistakes, entirely client-side. The token is never sent anywhere. It flags:
alg: none, the signature is not verified, so the token is trivially forgeable. A hard fail.- HMAC algorithms (
HS256), where a verifier that also accepts asymmetric tokens is open to key-confusion. - A missing or expired
exp, a token that never expires, or one that already has. - An empty signature segment.
- Sensitive claims, passwords, keys, or PII sitting in the payload, which is only base64, not encryption.
It does not verify the signature (that needs your secret), it teaches you what is wrong with the token's shape.
3. CSP tools: analyze or build
Two modes. Analyze takes an existing Content-Security-Policy and flags the weaknesses, unsafe-inline, unsafe-eval, bare wildcards, a missing frame-ancestors, object-src, or base-uri. Build hands you a strict starting policy from a couple of toggles, default-src 'self', no wildcards, object-src 'none', frame-ancestors 'none', ready to paste and tighten.
Why one tab, and why free
The value is in the combination. Shipping a web app safely is not one check, it is the headers and the token handling and the policy, and bouncing between three sites for that is friction. Benteng puts them together, explains every finding so it doubles as an appsec primer, and asks for nothing, no account, no key. The JWT and CSP tools never leave your browser, and the scanner stores nothing.
Point it at your own site, read the fixes, and close the gaps before someone else finds them. That is the whole idea, see your web security the way an attacker does, then fix it.
Building an AI agent?
I'm packaging how I ship them into one kit. Early access:
AI Agent Starter Kit →