Security

Our core design principle: there's nothing to steal. Every tool processes data right in your browser:

• All 53 tools are client-side — files / text / passwords are never sent to a server
• No database, no user accounts, no password storage
• No payments, no paywall, no subscriptions
• All traffic is HTTPS + HSTS, so man-in-the-middle attacks aren't viable

For full transparency, we have never collected — and cannot collect — any of the following:

• PDFs / images / videos you upload — they stay on your device; nothing carries them out
• Passwords, API keys, tokens, JSON content you type — all in-browser
• PII, email, name, IP address (Vercel Analytics is configured not to record IP)
• Cookies only store theme preference (dark / light); no tracking IDs

Every third-party the site touches:

• Vercel Analytics + Speed Insights — page-view counts only, no IP, no PII
• bundlephobia.com (only on the bundle-size tool) — the npm package name you query is sent to their public API
• OpenAI / Anthropic / Google APIs (only on the md-translate tool) — uses your own API key, called directly from your browser; we never touch it

To stop abuse of tw-test-data (Taiwan ID / credit card generator), we added a password gate + 3-strike IP ban + Telegram alert. HMAC-signed cookies via WebCrypto; the password is in environment variables. Even if breached, all an attacker gets is fake test data — no real loss.

The entire project is public on GitHub so you can verify everything above for yourself: github.com/MarkwwLiu/dev

Please report security issues privately via GitHub Security Advisory — we'll respond quickly. Please don't disclose in public issues / PRs (avoids being weaponised).

→ Report privately (GitHub Security Advisory)