Skip to content

Command Palette

Search for a command to run...

Security

FileCraft is designed so that a security breach of our infrastructure cannot expose your files, because we never have them.

Security Architecture

The most secure way to handle sensitive files is to never touch them at all. FileCraft is architected so that file processing happens entirely within your browser. Our servers are static file hosts with no file-processing capability whatsoever.

Security Measures

🔒

Files Never Leave Your Device

All file processing runs locally using the Canvas API, pdf-lib, and PDF.js. No file data is transmitted over the network.

🛡️

Strict Content Security Policy

Every page is served with a CSP header that restricts script sources to 'self' and blocks all inline eval.

🌐

HTTPS Everywhere

FileCraft is served exclusively over HTTPS with HSTS (HTTP Strict Transport Security) enabled, preventing downgrade attacks.

🚫

No Third-Party Scripts

We load no third-party analytics, advertising, or tracking scripts. The only external resource is the Inter font, which is self-hosted.

📵

No Cookies or Session Tokens

FileCraft sets no cookies and creates no sessions. There is no user account system to compromise.

Edge-Deployed Static Site

Hosted on Cloudflare Pages with no origin server. There is no backend to attack, no database to breach, and no server-side processing.

Content Security Policy

Our full CSP header is:

default-src 'self';
script-src 'self' 'unsafe-inline' 'wasm-unsafe-eval' https://cdn.jsdelivr.net;
worker-src 'self' blob:;
style-src 'self' 'unsafe-inline';
img-src 'self' data: blob:;
connect-src 'self' https://cdn.jsdelivr.net;
media-src 'self' blob:;
frame-ancestors 'none';
base-uri 'self';
form-action 'self'

Note: unsafe-inline is required for Next.js App Router hydration scripts. wasm-unsafe-eval is required for browser-based processing engines (FFmpeg, pdf-lib, PDF.js). The cdn.jsdelivr.net source is pinned for FFmpeg core loading. frame-ancestors 'none' prevents clickjacking, base-uri and form-action block injection-based redirects.

Responsible Disclosure

If you discover a security vulnerability in FileCraft, we appreciate responsible disclosure. Please contact us via our Contact page with details of the issue before making it public. We will acknowledge your report within 48 hours and work to resolve confirmed issues promptly.

Open Source Verification

Because FileCraft is open source, you can audit every line of code to verify our security and privacy claims. Visit our Open Source page to access the repository.