Making Security Tools Accessible: Why I Chose the Browser

I’ve said it before, and I’ll likely say it again until someone turns it into merch: we keep bringing bazookas to wrestling matches. Security tooling today is often overcomplicated, infrastructure-heavy, and assumes a technical baseline that leaves many potential users out of the equation. My goal isn’t to build shiny things for the elite few : it’s to make useful tooling accessible to people beyond the traditional developer crowd. And if that means writing JavaScript in the browser, so be it.

The Security Mindset Behind My Tools

The decision to build tools like SBOMPlay and 3P-Tracer is grounded in simple, security-conscious principles:

1. We will not store user data. If I never collect it, I don’t have to protect it.
2. No API keys are ever stored persistently-even client side. You paste them if needed. That’s it.
3. No CORS proxying. Yes, it can be bypassed-but that puts someone else in the data path. That’s not acceptable.
4. All requests are routed through your own browser. There’s no shared backend quota. If you hit your daily limit, the tool still works for everyone else. And if you’re hitting that limit daily, you’ve got bigger fish to fry.
5. I host these tools on GitHub Pages, not under my company or personal subdomain. No advance analytics. No logging. No data siphoning. You can verify the source, download the zip, and run it locally.

These decisions weren’t made because it was trendy-they were made to reduce attack surface and respect users.

Why the Browser?

Let’s be clear: I didn’t start building browser tools because I love JavaScript. I’ve long maintained that most of my sites shouldn’t need it at all. But if I want tooling that works without setup, installations, or assumptions, then the browser is the only interface nearly everyone has.

• CMD fear is real. Not everyone wants to run curl or jq.
• Browser doesn’t judge. You double-click index.html and it works.
• JavaScript may be obnoxious-but it’s available.

In this specific case accessibility mattered more than stack purity.

Real Examples: SBOMPlay and 3ptracer

With SBOMPlay, I wanted to give people a way to browse SBOMs locally without uploading anything. The entire app runs client-side, and LocalStorage handles up to 2,500 Google repository SBOMs.

3P-Tracer, explores another idea: what if DNS, traditionally a command-line-only world, could be explored via browser using DNS over HTTPS (DoH)? Turns out-it can. And it works surprisingly well.

These tools aren’t hacks or experiments. They’re designed to show what’s possible with just a browser, some vanilla JS, and a mindset focused on doing more with less.

What Works Surprisingly Well

• LocalStorage isn’t huge (5MB), but it’s enough if you’re smart about it.
• DoH makes DNS an API. Suddenly, browser JS can do things we thought needed dig or nslookup.
• Zero setup: no Docker, no Node, no dependency mess.
• UI can change freely without disrupting logic or function.

What Still Sucks (And Always Will)

• CORS is brutal. It blocks half the ideas before they start.
• Rate limiting exists. Fair, but still annoying.
• Firefox isolates localhost tabs. Broke a few things in SBOMPlay in downloaded mode. More Here
• IndexedDB is a future headache. LocalStorage is fine for now, but someday I’ll need to bite that bullet.

This is the Baseline : Ask for More

Let’s be blunt. Many commercial products are just wrappers around public APIs. They charge you for a nicer UI and a login wall. My tools are here to set a baseline: this is what’s already free. If a vendor can’t clearly explain what value they add on top of that, they don’t deserve your money.

You don’t need my website. You can download the repo, unzip it, and double-click index.html. If you want to self-host it, be my guest. These projects aren’t one-shot experiments – they’re evolving tools, and I fully intend to keep enhancing their capabilities over time. And if you need something more robust-that’s when commercial or bespoke solutions start to make sense.

Minimalism is the Only Defense

This design philosophy ties into something I wrote earlier: Minimalism is your only defense. The less you store, the less you expose. The simpler your deployment, the fewer your attack surfaces. And when you build in the browser, client-side only, you inherit a bunch of guardrails for free.

Closing Thoughts

These tools aren’t replacements for terminal power-users. They’re on-ramps. They’re for people who want quick insight, not CLI acrobatics. For folks who are tired of setting up Docker to read a JSON file.

“You don’t always need the bazooka. Sometimes, all it takes is a well-sharpened pocket knife.”

And honestly? The browser makes for a pretty decent sheath.