Skip to main content
image&pdf.com

Security & Privacy

This page describes the actual security posture of ImageAndPDF.com as deployed in production. Every claim below is derived from the manifest (lib/manifest/tools.ts), the live nginx configuration on our Hetzner VPS, or the security headers shipped by next.config.ts. If the page disagrees with what you observe in DevTools or via curl -I, email support@imageandpdf.com— we want to know.

Processing model per tool

Of 86 live tools, 59 run entirely in your browser (file never uploaded) and 27 require server-side processing (PDF compression, OCR, organize-pdf, HEIC conversion, Office-format conversions, bank-statement parsing). The badge above the upload area on each tool page shows which mode applies. Source of truth: lib/manifest/tools.ts.

  • Browser tools: WebAssembly + Canvas API + pdf-lib + ONNX Runtime Web. Closing the tab destroys the in-memory copy. We literally cannot see the file.
  • Server tools: HTTPS upload to our Hetzner Cloud VPS in Falkenstein, Germany (EU GDPR jurisdiction). File processed by qpdf / pikepdf / Pillow / Tesseract / LibreOffice (per tool) in a rate-limited Flask worker. Both the source file and any intermediate output are deleted from disk within 1 hour (cron job: tmpwatch /opt/imageandpdf/uploads --mtime +60). We log file size and processing duration only — never filenames, never contents.

Transport security

  • TLS: Let's Encrypt R3 certificates, auto-renewed via certbot 30 days before expiry. TLS 1.2 + 1.3 only; legacy ciphers disabled. SAN covers imageandpdf.com + www.imageandpdf.com; api.imageandpdf.com has its own cert.
  • HSTS: max-age=31536000; includeSubDomains; preload (one year, subdomain-inheriting, HSTS-preload-listed).
  • Verify: curl -sI https://imageandpdf.com | grep -i strict

Security headers

Configured in next.config.ts and enforced on every response:

  • Content-Security-Policy: script-src restricted to self + named CDNs (Google Analytics, Microsoft Clarity, AdSense, Cloudflare); object-src disabled (blocks Flash + Java applets); frame-ancestors self only.
  • X-Frame-Options: SAMEORIGIN (clickjacking defence).
  • X-Content-Type-Options: nosniff (MIME-sniffing defence).
  • Referrer-Policy: strict-origin-when-cross-origin.
  • Permissions-Policy: camera, microphone, geolocation, payment all disabled.

Rate limiting + abuse defence

  • Per-IP per-tool rate limits enforced at the Flask layer via @rate_limit(tool_id) decorators. Limits are tuned per tool based on processing cost (heavy tools like OCR allow fewer calls/minute than lightweight ones).
  • Nginx upstream timeout 60s; payload limit 200 MB (returns HTTP 413 above that).
  • No CAPTCHAs on tool pages; reCAPTCHA available for the contact form (dormant unless abuse spikes).

Sensitive data handling

We do not store, analyse, or share user files at rest. Server-side processed files exist on disk only for the duration of one HTTP request plus the deletion cron interval (≤1 hour). We do not run ML training on user data. We do not sell or share user files with any third party. The full subprocessor list with data shared and legal basis is in Privacy Policy.

Reporting a vulnerability

Found a bug, header misconfiguration, or data-handling issue? Email support@imageandpdf.com with reproduction steps. We aim to acknowledge within 48 hours and ship a fix or roadmap entry within 14 days. We do not pay bug bounties but credit reporters on this page if requested.

For full detail on what we collect and how, see our Privacy Policy and Cookie Policy.

Document revisions

Effective date: 2026-06-26

Page owner: Kummari Achyuth (support@imageandpdf.com)

DateChange
2026-06-26Seeded into manifest. Awaiting Phase D rewrite to describe actual TLS provider (certbot/Let's Encrypt), actual headers (next.config.ts), actual rate limits (backend), actual deletion schedule (manifest).