| Version | Supported |
|---|---|
| latest | ✅ |
If you discover a security vulnerability in CloakPDF, please do not open a public GitHub issue.
Instead, report it privately via GitHub Security Advisories.
You can expect:
- Acknowledgement within 48 hours
- Status update within 7 days
- Credit in the advisory once the fix is released (if desired)
CloakPDF is a client-side only application — all PDF processing happens in your browser. No files or data are transmitted to any server. The attack surface is limited to:
- Third-party npm dependencies (monitored via automated CI security audits and Dependabot)
- Browser sandbox escape (out of scope — report to the browser vendor)
Known dependency vulnerabilities are tracked automatically via:
- GitHub Dependabot — daily checks against the GitHub Advisory Database
- OSV-Scanner — weekly CI workflow against the Open Source Vulnerabilities database
If you spot one that has not been addressed, please follow the disclosure process above.
- Content Security Policy — declared via
<meta http-equiv="Content-Security-Policy">inindex.html.connect-srcis restricted to the application origin and the public CDNs that serve the Tesseract OCR engine and language data, making it physically impossible for the page to upload user file content elsewhere. - Subresource integrity — all first-party JavaScript is bundled and served from the same origin under hashed filenames.
- No tracking or analytics — the page makes no third-party network requests at runtime beyond what is listed above.
Last reviewed: 2026-04-17.