Security at Google is more than vigilantly protecting our own systems and our users' data. We also want to help others increase the security posture of all Internet-connected systems. One way that we do this is by releasing some of our security tools as open-source.

These tools are designed to be used by people who are working or interested in the field of information security. They address a gap present in other open-source tools. These tools may require some minor tweaking or compilation to work on your systems. Please refer to the documentation if you are having problems.

Don't be evil. Practice safe checks. Some of these tools can be disruptive or cause sites to misbehave (this is by design). Only use these tools against services that you own or have permission to test.


Caja is a compiler for making third-party HTML, CSS and JavaScript safe to embed in your website. It uses an object-capability security model to allow for a wide range of flexible security policies. Caja has its own dedicated site where you can explore the compiler's source code and try out Caja in the Caja Playground.

CSP Evaluator

CSP Evaluator allows developers and security experts to check if a Content Security Policy (CSP) serves as a mitigation against cross-site scripting attacks.

CSP Mitigator

CSP Mitigator helps test if a site is comptaible with CSP.

DevTools Security Panel

The Security Panel is a tool built into Chrome DevTools that allows you to view the security of a web page at a glance. In particular, it will highlight security flaws like certificate errors or mixed content.

DOM Snitch

DOM Snitch is an experimental Chrome extension that enables developers and testers to identify insecure practices commonly found in client-side code. Developers and testers can observe DOM modifications as they happen inside the browser without the need to step through JavaScript code with a debugger or pause the execution of their application.


Frodo is an implementation of a lattice-based key exchange with conjectured post-quantum security.

Gmail Postmaster Tools

Gmail Postmaster Tools enables medium and large email senders to have a better understanding of the state of their email delivery to Gmail users, in particular the tool reports TLS, SPF, DKIM and DMARC status.


Gruyere is a small, cheesy web application that allows its users to publish snippets of text and store assorted files. "Unfortunately," Gruyere has multiple security bugs ranging from cross-site scripting and cross-site request forgery, to information disclosure, denial of service, and remote code execution. Find bugs while learning about web security!


Hongfuzz is a security-oriented software fuzzer with software and hardware based code coverage feedback modes.


Keyczar is an open source cryptographic toolkit designed to make it easier and safer for developers to use cryptography in their applications. It supports authentication and encryption with both symmetric and asymmetric keys. It is designed to be an open, extensible and cross-platform compatible.


libFuzzer is an in-process coverage-guided fuzzing engine.

Native Client (NaCl)

Native Client (NaCl) is technology for running native compiled code in the browser. NaCl aims on maintaining operating system portability and safety that people expect from web applications. NaCl has its own dedicated site that provides a high-level overview of the technology.


Nsjail is a Linux containerization/isolation tool making use of namespaces, seccomp-bpf syscall filters and resource limits.


Ratproxy is a semi-automated and mostly passive web application security audit tool. It complements active crawlers and manual proxies more commonly used for security reviews. It detects and prioritizes broad classes or security problems, including script inclusion and security-related content service issues, cross-site scripting and cross-site request forgery.


Sanitizers find buffer-overflow, use-after-free, uses of uninitialized memory, data races, and other bugs in C and C++.


Skipfish is an active web application security reconnaissance tool. It prepares an interactive sitemap for a site by carrying out a recursive crawl and dictionary tools. Written in C with a custom HTTP stack, it is high performance, easy to use and reliable.


Syzkaller is a coverage-guided Linux syscall fuzzer.


Upspin is an experimental project to build a framework for naming and sharing files and other data securely, uniformly, and globally: a global name system of sorts.


VSAQ is an interactive questionnaire application to assess the security programs of third parties.