Security & Responsible Disclosure

Security posture

• Most tools process content locally in the browser instead of uploading it to an app server.
• Security headers are configured for clickjacking, MIME sniffing, referrer policy, and content restrictions.
• User-controlled HTML preview paths are sanitized before rendering.
• Remote-request tools block local, private, and reserved hosts.

Threats we actively reduce

• XSS through sanitized previews and safer highlighting/rendering paths.
• SSRF-style abuse by rejecting localhost, RFC1918, link-local, and reserved targets in browser lookup tools.
• Unsafe XML and tag generation by escaping tool output before rendering or download.
• Unnecessary production surface area by removing placeholder endpoints and unsupported public links.

Browser support target

The app is designed for current evergreen versions of Chrome, Firefox, Safari, Edge. Some advanced tools depend on Web Crypto, Canvas, MediaRecorder, AudioContext, Clipboard, or File APIs, so behavior can vary in older or restricted browsers.

Disclosure

If you believe you found a security issue, contact security@toolboxpropp.com. Please avoid destructive testing, social engineering, denial-of-service, or access to data that is not yours. The published policy is also available at /.well-known/security.txt.

Important note

This page describes engineering controls, not a legal guarantee or certification. If you need formal compliance review, please conduct an independent security and legal assessment for your deployment.

Related pages

See the acceptable use policy, privacy policy, and terms of use for the broader product rules.