Security
How we protect your data and keep your files safe.
The Core Principle
Your files never leave your device. This isn't just a privacy feature — it's a security architecture. By processing everything in your browser, we eliminate entire categories of security risk: server breaches, man-in-the-middle attacks, and unauthorized access by staff or third parties.
Client-Side Architecture
All PDF operations (merge, split, compress, rotate, watermark, etc.) are performed using pdf-lib, a pure JavaScript library that runs in your browser. No file data is ever transmitted over the network. The processing happens entirely within your browser's memory sandbox.
No Server Storage
We operate a static website only. There is no backend server, no database, no file storage, and no API endpoints that accept file uploads. The entire application is pre-built HTML, CSS, and JavaScript served from a CDN.
Transport Security
The website is served exclusively over HTTPS with TLS 1.3. All static assets (JavaScript libraries, fonts, stylesheets) are loaded from CDNs that also enforce HTTPS. We use HSTS headers to prevent downgrade attacks.
Content Security Policy
We implement a strict Content Security Policy that restricts script execution to trusted sources only. This prevents XSS attacks and unauthorized code execution.
No Authentication Surface
Since there are no user accounts, there is no authentication system to attack. No passwords, no sessions, no tokens — nothing to compromise.
Dependencies & Supply Chain
We use well-known, open-source libraries (pdf-lib, React, Astro) that are widely audited. Dependencies are pinned to specific versions and served from reputable CDNs with integrity hashes where possible.
Report a Security Issue
If you discover a security vulnerability, please email security@onlinepdfeditors.com. We take all reports seriously and will respond within 48 hours.