—
Browser-native dev toolkit. Nothing leaves your device.
Every transformation runs locally — no servers, no telemetry, no random S3 buckets seeing your tokens.
BOFH is a browser-native developer toolkit. Twenty modules — JSON, JWT, regex, hashing, diffing, SQL, certificates, cron, and so on — packaged into a single HTML file that runs entirely in your browser. No server, no account, no telemetry, no third-party scripts beyond a handful of CDN libraries that load on demand.
BOFH stands for Bastard Operator From Hell — a fictional sysadmin from Simon Travaglia's column (running since 1992) who delights in tormenting users, vendors, and anyone else who threatens his network. Devs of a certain vintage will know him.
The connection: the average online dev tool — jwt.io, regex101, jsonformatter, base64encode — receives every keystroke you paste into it. Production tokens, API responses with PII, regex patterns mining your logs. BOFH is a bastard to anyone trying to exfiltrate your data, because the only place that data goes is into your own browser's memory and (optionally) localStorage.
That's the whole pitch.
BOFH is one of a series of single-file, browser-native tools built on the same philosophy: nothing leaves your device. Sister projects include BabelLocal (translation), VoiceVault (Whisper), VaultMind (Obsidian explorer), NakliPoster (API client), and KanZen (kanban).
Paste or drop JSON. Format, minify, validate, or browse as a collapsible tree. JSONPath (subset) supports $, dot/bracket paths, and array indices.
Format, validate, and query XML with XPath. Uses the browser's native DOMParser, XMLSerializer, and document.evaluate. Works for SOAP, Maven POMs, Spring configs, RSS feeds, and anything else XML-shaped.
N-way converter between YAML, JSON, TOML, and dotenv. Pick source format → pick target format → paste → converted output appears on the right. YAML uses js-yaml (lazy CDN). TOML and dotenv are parsed inline with minimal pure-JS parsers — enough for 90% of real config files.
Live Markdown preview (CommonMark + GFM tables / fenced code) using marked.js (lazy CDN). Source on the left, preview on the right. "Copy as HTML" button copies the rendered HTML for pasting into email clients, CMSes, or anything else that takes HTML not Markdown.
Two textareas, line-level diff via LCS. When a deleted line is followed by an added line, an inline word-level diff highlights exactly what changed within the line. Pure JS, no CDN.
Convert tables between Markdown, HTML, CSV, and TSV. Pick source and target formats; auto-detect button sniffs the format from what you paste. Handles quoted CSV fields with embedded separators.
Batch string transforms in one tab: camelCase, PascalCase, snake_case, SCREAMING_SNAKE, kebab-case, dot.case, Title Case, slug, HTML-escape, whitespace-collapse, reversed. Plus a counts panel showing chars / chars-without-spaces / words / lines / UTF-8 bytes.
Drop a CSV/TSV file or paste rows. Get a sortable table (click headers), substring filter, regex find/replace across all cells, exact-row dedup, and CSV re-export. Loaded data is shared with the SQL tab via "Import from CSV tab". Uses Papa Parse from CDN.
Real SQLite in your browser via sql.js (~1MB WASM, lazy). Drop a CSV → BOFH infers column types (INTEGER/REAL/TEXT) and creates a table named after the file → write SQL → see results. Cmd/Ctrl+Enter runs the query. The database is in-memory only; nothing is persisted.
Drop a log file or paste lines. Virtual scroll handles up to 500K lines without breaking a sweat. Type a regex in the search box for live highlighting; toggle "Only matches" to filter. Status bar shows total lines and match count.
Decode any JWT. Verify HS256 by typing the secret. Verify RS256 by pasting the issuer's public key in PEM (-----BEGIN PUBLIC KEY-----). Expiry and "not before" are checked automatically.
SHA-1/256/384/512 and MD5 (legacy compat) for text or file input. HMAC-SHA-256/384/512 with a custom key. Output as hex, base64, or base64url. Compare against an expected hash for one-click integrity checks.
Generate time-based one-time passwords (RFC 6238) from a Base32 secret. Live countdown, HMAC-SHA1 via Web Crypto. Intended for testing your own 2FA implementations without adding throwaway secrets to a real authenticator app.
Cryptographically random passwords using crypto.getRandomValues. Configurable length, charset (lower / UPPER / digits / symbols), ambiguous-character exclusion (0 O l 1 | ` '), bulk mode, and a bits-of-entropy readout.
Text mode encodes UTF-8. File mode reads any file as bytes. URL-safe toggle uses -_ instead of +/ and strips padding.
Three sub-tools in one. Encode/decode with a component (encodeURIComponent) vs whole-URL (encodeURI) toggle. Parse any URL into protocol, host, port, path, query, and hash, plus a per-query-param breakdown (and Unicode form of punycode hostnames). Build a URL from a base + a list of key/value rows.
Generate RSA (2048/3072/4096) or ECDSA (P-256/384/521) keypairs entirely in your browser. Public key exports as SPKI PEM, private key as PKCS#8 PEM. Shows a SHA-256 SPKI fingerprint (the same one your TLS clients use). Paste any PEM PUBLIC KEY or CERTIFICATE to inspect — for X.509 certs you get subject, issuer, serial, validity dates, and the SPKI fingerprint, parsed via a tiny ASN.1 walker.
Detects seconds vs milliseconds. Shows ISO, local, and a relative ("3 days ago") form. Timezone selector uses your browser's IANA list.
Generate UUID v4 (random), UUID v7 (time-ordered, database-friendly), or Nano ID (21-char URL-safe). Bulk-generate up to 1000. Parse and validate existing UUIDs.
JavaScript regex with live match highlighting, capture-group inspection, all six flags (g i m s u y), a preset library (email, IPv4, UUID, ISO date, URL, hex color, phone), and a live replacement preview supporting $1/$2 backreferences. "Show escapes" toggle visualises \\n \\t \\r and control chars inline.
Convert between decimal / hex / octal / binary with a bit-width selector (8/16/32/64). Shows unsigned and two's-complement signed values, bit count, and padded hex. Uses BigInt so the 64-bit mode is exact.
Unix file permissions calculator. Click the 3×3 checkbox grid (user / group / other × read / write / execute) and see octal + symbolic notation update live. Presets for 0644, 0755, 0600, 0777.
Text or URL → QR code, rendered in-browser via qrcode-generator (lazy CDN). Choose error correction level (L/M/Q/H) and cell size; download the result as a GIF.
Two color inputs side-by-side. Each parses any CSS color (hex, rgb, hsl, oklch, named) via the browser's own parser, shows the swatch, and emits hex/rgb/hsl/oklch versions. Click any output to copy. The bottom panel shows the WCAG contrast ratio between A and B with pass/fail badges for AA / AAA at normal and large text sizes.
Paste any text → per-character breakdown: codepoint, UTF-8 bytes, general category, and category name. Suspicious characters (zero-width marks, BOMs, bidi overrides, non-space whitespace) are highlighted so you can catch homoglyph attacks and sneaky copy-paste bugs.
IPv4 CIDR calculator. Enter 10.0.0.42/22 and get network, broadcast, first/last host, total addrs, usable hosts, subnet mask, wildcard mask, address class, RFC1918 classification, and 32-bit binary representation of IP, mask, and network. Click any value to copy. "Expand all IPs" button enumerates every address in the range (capped at /20 to prevent accidentally expanding a /8).
Parses 5-field cron expressions (minute, hour, day-of-month, month, day-of-week). Shows a plain-English description of common patterns, expanded value sets per field, and the next 10 run times in your local timezone. Picks up the Vixie cron rule for combined day-of-month + day-of-week (OR semantics). Sample dropdown for common patterns.
Searchable reference for every HTTP status code from 1xx through 5xx, including the WebDAV and CDN-flavored ones. Click any card to copy "code name" to the clipboard. Filter matches code, name, or description.
Searchable reference for common request and response headers. Each card is tagged as request or response and includes security notes where it matters (CSP, HSTS, X-Frame-Options, Set-Cookie flags, etc.). Click any card to copy the header name.
Searchable MIME type ↔ extension reference covering ~60 common types across text, application, image, audio, video, and font categories. Filter matches type, extension, or description. Click a card to copy the MIME type.
Shows your current navigator.userAgent and parses it into browser, version, engine, OS, and device type. Paste any UA string to parse it. Modern browsers also expose structured data via navigator.userAgentData (Client Hints), shown when available.
/ — focus the module filter? — open this helpEsc — close modal / blur inputEach module saves its last input and settings to localStorage under namespaced keys (bofh:<module>:…). Use the ⌫ button in the sidebar foot to wipe everything.
Each module has a hash URL (#json, #jwt, …) so you can bookmark or share a tab.
BOFH is a single HTML file. There is no server, no analytics, no telemetry, no fonts loaded from a CDN. The only network traffic is the one-time on-demand fetch of a small set of CDN libraries (js-yaml, marked, Papa Parse, sql.js) when you first open one of the heavy modules — the URLs are all cdn.jsdelivr.net and the scripts run sandboxed in the page like any other library.
Your inputs are stored only in your own browser's localStorage, namespaced under bofh:. Clear them with the ⌫ button in the sidebar foot, or with your browser's site-data settings.
The JWT verifier, Hash module, and Keys module all use the browser's built-in Web Crypto API — the same primitives your OS uses for TLS.