FerrLabs · BryanFRD · May 21, 2026
diff --git a/entries/2026-05-21-ferrlens-cors-tester.md b/entries/2026-05-21-ferrlens-cors-tester.md
@@ -0,0 +1,21 @@
+---
+title: 'CORS tester'
+summary: Send a preflight + actual request from a configurable Origin and see exactly which CORS headers the server returns — with pass/fail diagnostics.
+date: 2026-05-21T09:15:00+02:00
+product: ferrlens
+type: new
+prLink: https://github.com/FerrLabs/FerrLens-Cloud/pull/56
+---
+
+[/tools/cors](https://ferrlens.com/tools/cors) helps debug "why does my fetch fail in the browser but work in curl" by reproducing exactly what a browser does:
+
+- For non-simple methods (PUT, PATCH, DELETE, etc.) it sends an **OPTIONS preflight** with `Origin`, `Access-Control-Request-Method` and `Access-Control-Request-Headers`.
+- Then it sends the **actual request** with the supplied Origin.
+- Both responses show every CORS header the server returned: `Access-Control-Allow-Origin`, `-Allow-Credentials`, `-Allow-Methods`, `-Allow-Headers`, `-Expose-Headers`, `-Max-Age`, and `Vary`.
+
+Diagnostic checks flag the common mistakes:
+- Origin not allowed (or no `Access-Control-Allow-Origin` returned at all).
+- Preflight doesn't list the requested method.
+- `Access-Control-Allow-Origin: *` combined with `Allow-Credentials: true` — invalid per spec, browsers will reject the response.
+
+Useful when integrating a third-party API, configuring a new endpoint, or chasing the maddening "request blocked by CORS policy" error.
diff --git a/entries/2026-05-21-ferrlens-ct-search.md b/entries/2026-05-21-ferrlens-ct-search.md
@@ -0,0 +1,22 @@
+---
+title: 'CT log search'
+summary: Find every TLS certificate ever issued for a domain by querying the public Certificate Transparency logs (crt.sh) — great for subdomain discovery and rogue-cert detection.
+date: 2026-05-21T09:20:00+02:00
+product: ferrlens
+type: new
+prLink: https://github.com/FerrLabs/FerrLens-Cloud/pull/56
+---
+
+[/tools/ct-search](https://ferrlens.com/tools/ct-search) queries [crt.sh](https://crt.sh) — the public Certificate Transparency log search — for every TLS cert ever issued for `*.example.com`, and returns:
+
+- Cert ID (clickable straight to crt.sh for the full PEM).
+- Issuer (Let's Encrypt, DigiCert, Sectigo, internal CA, …).
+- Validity window: `not_before` → `not_after`.
+- All **subjectAltNames** as searchable chips.
+
+Two big use cases:
+
+1. **Subdomain discovery** — every internal-only hostname an org has ever issued a public cert for shows up here. Cheap recon before scoping a security audit or migration.
+2. **Rogue-cert detection** — if a CA you don't use issued a cert for your domain, you'll see it here. Combine with CAA records on the DNS side.
+
+Capped at 200 most recent certs to keep responses fast. Hits live data — no cache.
diff --git a/entries/2026-05-21-ferrlens-meta-inspector.md b/entries/2026-05-21-ferrlens-meta-inspector.md
@@ -0,0 +1,19 @@
+---
+title: 'Meta tag inspector'
+summary: Fetch any URL and see every meta + link tag grouped by namespace — standard, OpenGraph, Twitter, Facebook, http-equiv, link.
+date: 2026-05-21T09:00:00+02:00
+product: ferrlens
+type: new
+prLink: https://github.com/FerrLabs/FerrLens-Cloud/pull/56
+---
+
+[/tools/meta](https://ferrlens.com/tools/meta) crawls a single URL, parses the HTML, and lays out every meta tag and `<link>` element it finds, grouped by namespace:
+
+- **Standard** — description, keywords, viewport, theme-color, canonical, alternates, robots.
+- **OpenGraph** — og:title / og:description / og:image / og:url / og:type / article: / book: / profile:.
+- **Twitter** — twitter:card / twitter:site / twitter:creator / twitter:title / twitter:description / twitter:image.
+- **Facebook** — fb:app_id and friends.
+- **http-equiv** — Content-Security-Policy, refresh, etc.
+- **link** — preload, prefetch, dns-prefetch, manifest, stylesheet, alternate languages.
+
+Useful when debugging social share previews, auditing canonical / alternate hreflang coverage, or just sanity-checking what a page actually exposes. Pure parser — no rendering, no JS execution.
diff --git a/entries/2026-05-21-ferrlens-mixed-content.md b/entries/2026-05-21-ferrlens-mixed-content.md
@@ -0,0 +1,14 @@
+---
+title: 'Mixed content scanner'
+summary: Scan an HTTPS page for HTTP-only src / href / action / poster / data-src resources that modern browsers block.
+date: 2026-05-21T09:10:00+02:00
+product: ferrlens
+type: new
+prLink: https://github.com/FerrLabs/FerrLens-Cloud/pull/56
+---
+
+[/tools/mixed-content](https://ferrlens.com/tools/mixed-content) crawls an HTTPS page and reports any resource still pointing at `http://` — the classic mixed-content trap that breaks images, scripts, iframes and form actions silently on modern browsers (Chrome blocks active mixed content outright, passive in incognito).
+
+Looks at every common URL attribute: `src`, `href`, `action`, `poster`, `background`, `data-src`, `formaction`, both single- and double-quoted. Results are grouped by attribute so you immediately see whether the problem is in `<script>` tags, `<img>` tags, or stray `<form action="http://…">` patterns left over from a legacy migration.
+
+If the URL you pass is plain HTTP, the tool tells you mixed content doesn't apply — it's not the right check for that case.
diff --git a/entries/2026-05-21-ferrlens-og-preview.md b/entries/2026-05-21-ferrlens-og-preview.md
@@ -0,0 +1,18 @@
+---
+title: 'OG card preview'
+summary: See how a URL renders as a Twitter card, LinkedIn share and Slack unfurl — side by side, with warnings for missing or oversized fields.
+date: 2026-05-21T09:05:00+02:00
+product: ferrlens
+type: new
+prLink: https://github.com/FerrLabs/FerrLens-Cloud/pull/56
+---
+
+[/tools/og-preview](https://ferrlens.com/tools/og-preview) takes a URL and shows three side-by-side visual mocks of how it will appear when shared:
+
+- **Twitter / X** — `summary` or `summary_large_image` depending on `twitter:card`.
+- **LinkedIn** — image on top, title + hostname in the grey caption bar.
+- **Slack** — site name + favicon, blue title, description, then the inline image.
+
+A warnings panel calls out the common mistakes: missing `og:image` (links look bare), title > 70 chars (Twitter truncates), description > 200 chars, missing `twitter:card` (Twitter falls back to small image), and the always-painful "you forgot to add OG tags entirely".
+
+Fetches the page server-side, parses meta + link tags, resolves the favicon, and renders everything in your browser — nothing is uploaded.