Network transparency
SecretPNG runs as two very different kinds of route. This page states exactly what each one is allowed to send over the network.
Two route classes
Public pages are the marketing, guide, and informational pages. They may load a small, named set of third parties — but only if we have configured them and only after you have consented. The secure workspace at /app/*, along with the secret-link APIs, is where you actually use the tools. It loads no third parties at all, enforced by a strict Content Security Policy.
Table 1 — Public pages
Third parties that may load, and only after the matching consent is granted:
| Third party | Origins | When it loads |
|---|---|---|
| Google Analytics 4 | googletagmanager.com, *.google-analytics.com | Only if configured and only after you grant analytics consent. |
| Google AdSense | pagead2.googlesyndication.com, and related Google ad origins | Only if configured and only after you grant advertising consent. |
If you decline, neither loads. See the cookie policy and advertising disclosure for details.
Table 2 — Secure workspace (/app/*) and secret APIs
A hard list. The Content Security Policy on these routes sets default-src 'self' and connect-src 'self':
| Resource type | Allowed origins | Policy |
|---|---|---|
| Scripts | 'self' only (with per-request nonces) | No third-party scripts, ever. |
| Styles & fonts | 'self' only (fonts self-hosted) | No Google Fonts or other font CDNs at runtime. |
| Images & media | 'self' and data: only | No third-party images, pixels, or beacons. |
| Frames | None | No third-party frames or embeds. |
| Analytics & ads | None | Structurally absent — not imported and forbidden by CSP. |
| Network connections (connect-src) | 'self' only | The only calls are same-origin secret-link APIs (e.g. POST /api/secrets…), and they carry ciphertext only. |
The only calls the workspace makes
Inside the workspace the sole network calls are same-origin requests to our own secret-link API — for example POST /api/secrets… when you create a one-time secret, or a matching read when someone opens one. Those requests carry ciphertext only: the content is encrypted in your browser first, and the decryption key stays in the URL fragment, which browsers never transmit. Every other tool — file encryption, metadata removal, redaction, hashing, generators, private notes — makes no network calls with your content at all.
Self-hosted fonts
Fonts are bundled and served from our own origin using the framework's built-in font pipeline (next/font). There are no runtime requests to Google Fonts or any other font CDN, so loading a page does not leak your visit to a font host.
The live network monitor
The secure workspace includes a live network-transparency panel that shows you your own request log for the current session — how many same-origin requests the page has made and whether any unexpected cross-origin request has occurred. It is meant to let you verify the claims on this page for yourself rather than take them on faith.
Its limits are honest ones: it cannot see activity from browser extensions, and simply loading the hosted app requires network requests to fetch it. For the strongest isolation, install the offline app and run it with networking disabled — then there is zero network activity by construction.
Related
See the threat model for what these controls do and do not defend against, and the security overview for how this fits the rest of the design.
Last reviewed: 2026-07-14.