Security

How we protect the platform — and how to report a vulnerability.

Found a security vulnerability?

Please report it responsibly using our contact form with subject "Security vulnerability". Do not publicly disclose the issue until we have had a chance to investigate and remediate.

How we protect your data

Browser-side tools

The majority of tools on it.you run entirely in your browser using JavaScript. This means your input — JSON, passwords, hashes, text, images — is never transmitted to our servers. There is no server-side logging of your tool usage for these tools. You can verify this by inspecting network requests in your browser's developer tools.

Examples include: JSON Formatter, Password Generator, Hash Generator, Base64 Encoder, UUID Generator, and most text tools.

Backend-assisted tools

Some tools require a server-side query: DNS Lookup, WHOIS Lookup, and IP Geolocation require outbound queries from our servers. For these tools:

  • Queries are forwarded to authoritative sources (DNS resolvers, WHOIS servers, IP geolocation APIs)
  • We log query metadata (domain/IP queried, timestamp, hashed IP) for rate limiting and abuse prevention
  • We do not sell or share query logs with third parties
  • Logs are retained for 30 days and then deleted

Accounts and authentication

  • Passwords are hashed using bcrypt with a cost factor of 12
  • Sessions use signed, HTTP-only, SameSite=Lax cookies
  • CSRF protection is applied to all state-changing requests
  • Rate limiting is applied to login, registration, and contact endpoints
  • Passwords are never stored in plain text, logs, or emails

Transport security

All traffic is served over HTTPS with HSTS enabled. We do not serve any content over plain HTTP. TLS certificates are managed and auto-renewed.

Responsible disclosure policy

We welcome security researchers who identify genuine vulnerabilities. We commit to:

  • Acknowledging your report within 2 business days
  • Investigating and responding with our assessment within 7 business days
  • Keeping you informed of remediation progress
  • Crediting you in our security acknowledgements (with your permission) upon resolution
  • Not pursuing legal action against researchers who act in good faith

In scope

  • Authentication and session management vulnerabilities
  • Cross-site scripting (XSS) in our own templates
  • Cross-site request forgery (CSRF)
  • SQL injection or other data access vulnerabilities
  • Server-side request forgery (SSRF) via backend tools
  • Sensitive data exposure

Out of scope

  • Denial of service attacks
  • Social engineering or phishing of our staff
  • Issues in third-party services we depend on (report directly to them)
  • Missing security headers that have no exploitable impact
  • Theoretical vulnerabilities without a proof of concept

Reporting a vulnerability

Use our contact form with subject "Security vulnerability". Include:

  • A description of the vulnerability and its potential impact
  • Step-by-step reproduction steps
  • Any proof-of-concept code or screenshots
  • Your contact information (optional, for follow-up)

Please do not submit vulnerability reports via public issue trackers, social media, or our general feedback form.

Privacy Policy Terms of Service Report Abuse Contact Us