Security
Last reviewed May 2026 · eu-fra1
Threat model
TruePdf is a document processing tool, not an authentication or payment system. The attack surface is narrow: file upload handling, Python serverless execution, and the browser-side preview.
What we protect against:
- Clickjacking (frame-ancestors DENY)
- XSS via script injection (CSP nonce + strict-dynamic)
- MIME confusion attacks (nosniff)
- Cross-origin opener leakage (COOP same-origin)
- Insecure transport (HSTS, upgrade-insecure-requests)
- Cross-domain policy abuse (X-Permitted-Cross-Domain-Policies none)
What is explicitly out of scope:
- User accounts — there are none. No credentials to steal.
- Stored data — there is none. Files are discarded after each request.
- Physical access to the server — TruePdf runs on Vercel managed infrastructure; server security is Vercel's responsibility.
Data handling
Files you upload are held in process memory for the duration of the API request (max 30 seconds). They are not written to disk, not logged, not stored in a database, and not accessible after the response is sent.
We do not set analytics cookies, load third-party scripts, or embed tracking pixels. The only external network requests your browser makes are to fonts.googleapis.com and fonts.gstatic.com for the Geist and Fraunces typefaces.
HTTP security headers
Every response from TruePdf includes the following headers. You can verify them in your browser's DevTools under Network → Response Headers.
| Header | Value |
|---|---|
| Strict-Transport-Security | max-age=63072000; includeSubDomains; preload |
| X-Frame-Options | DENY |
| Content-Security-Policy | nonce-per-request, strict-dynamic, no eval, no inline |
| X-Content-Type-Options | nosniff |
| Referrer-Policy | strict-origin-when-cross-origin |
| Permissions-Policy | camera=(), microphone=(), geolocation=(), payment=(), usb=() |
| Cross-Origin-Opener-Policy | same-origin |
| X-Permitted-Cross-Domain-Policies | none |
Content Security Policy
TruePdf generates a unique cryptographic nonce on every request. The CSP header binds script execution to that nonce — only scripts served by TruePdf and tagged with the matching nonce may execute. No inline scripts, no eval(), no external script hosts.
The PDF preview uses pdfjs-dist, which requires a Web Worker loaded via blob: URL. This is the only deviation from a strict worker-src 'self' directive.
Transport
All traffic is served over TLS 1.3. The HSTS header is set with a two-year max-age and includeSubDomains, eligible for HSTS preload submission. Connections over plain HTTP are upgraded automatically.
Bundle integrity
Production builds have source maps disabled. The JavaScript bundle is minified and identifier-mangled. Console output (except errors and warnings) is stripped at compile time. No debugging artifacts ship to production.
Cryptographic receipts
Every file download includes SHA256 hashes of the input and output PDFs. You can recompute these at any time:
shasum -a 256 your-file.pdf
This lets you verify that the file TruePdf processed matches what you uploaded, and that the output matches what you downloaded.
Hosting
The Next.js frontend is deployed on Vercel's global edge network. Python processing functions run in Vercel's Frankfurt region (eu-fra1) with a 30-second execution limit. No data leaves the EU during processing.
Open source core
The PDF processing logic (PyMuPDF AP stream rewrite, redaction pipeline) is available for audit. Security-relevant behavior can be verified against the source without trusting the deployed service.
Reporting
To report a security issue, contact security@TruePdf.io. Please include steps to reproduce and the impact you believe the issue has. We aim to respond within 48 hours.