Security Practices

Architecture Security

Client-Side Isolation

Tools execute 100% in the user's browser sandbox. Sensitive data (keys, passwords, code) is never transmitted over the network.

Stateless Operations

Our servers are stateless regarding user input. We have no databases storing user submissions.

Application Security Headers

We implement strict security headers to protect users:

  • Content-Security-Policy (CSP)
  • X-Frame-Options: DENY
  • X-Content-Type-Options: nosniff
  • Referrer-Policy: strict-origin-when-cross-origin
  • Strict-Transport-Security (HSTS)

Supply Chain Security

  • Dependencies are minimized and audited regularly (npm audit).
  • External scripts are loaded with Subresource Integrity (SRI) hashes where possible.
  • We prioritize "Vanilla JS" implementation to reduce attack surface.

Vulnerability Management

We maintain a proactive stance on security. If you identify a vulnerability, please see our Vulnerability Reporting Policy.