Skip to content
SecretPNG

Network transparency

SecretPNG runs as two very different kinds of route. This page states exactly what each one is allowed to send over the network.

Two route classes

Public pages are the marketing, guide, and informational pages. They may load a small, named set of third parties — but only if we have configured them and only after you have consented. The secure workspace at /app/*, along with the secret-link APIs, is where you actually use the tools. It loads no third parties at all, enforced by a strict Content Security Policy.

Table 1 — Public pages

Third parties that may load, and only after the matching consent is granted:

Third partyOriginsWhen it loads
Google Analytics 4googletagmanager.com, *.google-analytics.comOnly if configured and only after you grant analytics consent.
Google AdSensepagead2.googlesyndication.com, and related Google ad originsOnly if configured and only after you grant advertising consent.

If you decline, neither loads. See the cookie policy and advertising disclosure for details.

Table 2 — Secure workspace (/app/*) and secret APIs

A hard list. The Content Security Policy on these routes sets default-src 'self' and connect-src 'self':

Resource typeAllowed originsPolicy
Scripts'self' only (with per-request nonces)No third-party scripts, ever.
Styles & fonts'self' only (fonts self-hosted)No Google Fonts or other font CDNs at runtime.
Images & media'self' and data: onlyNo third-party images, pixels, or beacons.
FramesNoneNo third-party frames or embeds.
Analytics & adsNoneStructurally absent — not imported and forbidden by CSP.
Network connections (connect-src)'self' onlyThe only calls are same-origin secret-link APIs (e.g. POST /api/secrets…), and they carry ciphertext only.

The only calls the workspace makes

Inside the workspace the sole network calls are same-origin requests to our own secret-link API — for example POST /api/secrets… when you create a one-time secret, or a matching read when someone opens one. Those requests carry ciphertext only: the content is encrypted in your browser first, and the decryption key stays in the URL fragment, which browsers never transmit. Every other tool — file encryption, metadata removal, redaction, hashing, generators, private notes — makes no network calls with your content at all.

Self-hosted fonts

Fonts are bundled and served from our own origin using the framework's built-in font pipeline (next/font). There are no runtime requests to Google Fonts or any other font CDN, so loading a page does not leak your visit to a font host.

The live network monitor

The secure workspace includes a live network-transparency panel that shows you your own request log for the current session — how many same-origin requests the page has made and whether any unexpected cross-origin request has occurred. It is meant to let you verify the claims on this page for yourself rather than take them on faith.

Its limits are honest ones: it cannot see activity from browser extensions, and simply loading the hosted app requires network requests to fetch it. For the strongest isolation, install the offline app and run it with networking disabled — then there is zero network activity by construction.

Related

See the threat model for what these controls do and do not defend against, and the security overview for how this fits the rest of the design.

Last reviewed: 2026-07-14.