Security

Architecture at a glance

Free Tool Arena is a static Next.js site deployed on Vercel’s edge network. Every page is prerendered at build time and served as static HTML + JavaScript bundles. There is no application server, no database, no login system, and no user-generated content pipeline.

That means most of the usual attack surfaces that plague content sites — SQL injection, server-side code execution, authentication bypass, session hijacking — don’t apply. There’s nothing to inject into and nothing to authenticate against.

What runs where

On your device: every tool’s interactive logic — calculators, converters, formatters, encoders, the lot. Inputs stay in your browser. Outputs stay in your browser. Closing the tab wipes state; a couple of tools (favorites, recently used) persist in localStorage which you control.

On our servers (Vercel): static HTML/CSS/JS, the sitemap, the Open Graph image endpoint. Request-path code exists only for /og (dynamic social image rendering) and internal health checks.

Third parties we call: Vercel Web Analytics and Vercel Speed Insights (anonymous, cookieless, GDPR-aware). Google AdSense (a third-party ad provider that sets its own cookies — see privacy policy). A small number of tools hit public APIs where it’s core to the tool (IP Lookup, Public Holidays, Password Breach Checker via HIBP k-anonymity). Everything else is in-browser.

Transport & headers

HTTPS-only across the site with HSTS enabled by default at the edge. Standard hardening headers are set via vercel.json: X-Content-Type-Options, X-Frame-Options, Referrer-Policy, and Permissions-Policy. If one of these ever misbehaves with a legitimate browser feature, please send the exact error.

No user uploads, no public write paths

No tool on this site uploads your files to our servers. Tools that accept files (PDF, image, audio) process them in your browser only. Nothing you do on a tool page produces a write to a database, a queue, or a remote storage bucket owned by us.

There is no public comment form, no registration, and no API endpoint that accepts authenticated input. The entire surface is read-only.

Browser storage

Two small localStorage keys are used:fta.favorites.v1 (tool slugs you’ve starred) and fta.recent.v1 (tool slugs you’ve recently opened). Both are readable only by this domain and can be cleared from your browser’s site-data settings. Nothing else is stored.

Reporting a vulnerability

If you believe you’ve found a security issue — a misconfiguration, a header weakness, a supply-chain problem in a dependency, anything that could harm a user — please email hello@freetoolarena.com with the subject line Security. Include the URL, the steps to reproduce, and any proof-of-concept you’re comfortable sharing.

We don’t run a paid bounty program (the site is small), but we respond quickly, credit the reporter if they want credit, and fix the issue as fast as we can.

Dependencies

The tooling is an ordinary Next.js + React + Tailwind stack. We keep dependencies lean, pin versions, and upgrade when there’s a reason. We don’t install packages from obscure sources.