en

Security at gottrix

gottrix.app processes files 100% locally in your browser: the conversion code has no access to any foreign server (enforced by the Content-Security-Policy), so an upload is technically impossible. Delivery runs over TLS 1.2/1.3 with HSTS (2 years), a complete set of security headers, and hosting at Hetzner in Germany. Every claim on this page is verifiable yourself.

Zero-upload architecture: security by omission

Typical online converters upload your file to a server, process it there and send the result back - every one of those steps is attack surface. gottrix removes the critical step entirely: the engines (for images, PDFs, audio, video and more) run as WebAssembly directly in your browser. What is never transmitted cannot be intercepted in transit, cannot leak from any server, and cannot be demanded from anyone.

This is enforced by architecture, not by policy, with two strictly separated zones: the code that touches your file bytes (engines and web workers) is locked to its own origin by the Content-Security-Policy and contains zero network calls - an automated test verifies that on every build. The page level, which never sees your files, may only reach a documented analytics allowlist.

  • Engines and workers: 0 network primitives, no foreign origins - statically checked on every build.
  • Page level: foreign requests only to the documented analytics allowlist, never file bytes.
  • No upload fallback: if local processing fails, you get an honest error message - never a server detour.
  • Offline proof: after your first visit the tools keep working in airplane mode - the strongest evidence that nothing is sent.

Transport: TLS and HSTS

The website is delivered exclusively over HTTPS - TLS 1.2 and 1.3 with modern cipher suites and automatically managed certificates. HTTP Strict Transport Security (HSTS) is set with max-age=63072000 (2 years) including subdomains: the browser then enforces HTTPS by itself on every future visit. For perspective: your file contents never travel over this connection, because they never leave your device - transport encryption protects the delivery of the site itself.

HTTP security headers

Every server response carries a complete set of security headers. The values are configuration, not aspiration: an automated test aborts any deploy where one is missing or differs.

HTTP security headers
Header and valueEffect
Strict-Transport-Security: max-age=63072000; includeSubDomainsEnforces HTTPS for 2 years, including all subdomains.
X-Frame-Options: DENYNo embedding of the site in foreign frames (clickjacking protection, doubly secured via frame-ancestors in the CSP).
X-Content-Type-Options: nosniffStops the browser from guessing content types and executing files as script.
Referrer-Policy: strict-origin-when-cross-originPasses at most the origin to foreign sites, never full URLs.
Permissions-Policy: camera=(), microphone=(), geolocation=(), usb=(), ...Disables 12 device and sensor APIs (camera, microphone, location, USB and more) the site does not need; only fullscreen stays allowed for the own origin.
Cross-Origin-Opener-Policy: same-originIsolates the browsing window from foreign pages that opened it.

The Content-Security-Policy in full

The CSP is the technical lock behind the zero-upload guarantee. It is generated from a single source file and rendered here live from exactly that source - all 15 directives, unabridged:

  • default-src 'self'
  • script-src 'self' 'wasm-unsafe-eval' 'sha256-CV3S3HJKkjkhiOy3jcZlYxFFZn1MxVO6SmmGkiwHFBA=' https://www.googletagmanager.com https://challenges.cloudflare.com
  • style-src 'self' 'unsafe-inline'
  • img-src 'self' data: blob: https://www.google-analytics.com https://*.google-analytics.com https://www.googletagmanager.com
  • media-src 'self' blob:
  • font-src 'self'
  • connect-src 'self' https://www.google-analytics.com https://*.google-analytics.com https://www.googletagmanager.com
  • worker-src 'self' blob:
  • frame-src 'self' blob: https://challenges.cloudflare.com
  • child-src 'self' blob:
  • object-src 'none'
  • base-uri 'none'
  • form-action 'self'
  • frame-ancestors 'none'
  • upgrade-insecure-requests

Google CSP Evaluator (checked on 2026-07-09): 0 findings of severity High. Besides the own origin, connect-src permits only the documented page-level analytics allowlist - metadata, never file contents.

Independent verification

Three external reviews are firmly planned and will run against the live domain at public launch: SSL Labs (TLS configuration), Mozilla Observatory (HTTP security posture) and securityheaders.com (header completeness). Results are shown and linked only once the scans have actually run - gottrix never displays unverified seals or grades, and an automated test in every build enforces exactly that.

Hosting and data location

The origin servers are operated by Hetzner Online GmbH in Germany and are subject to the GDPR. They hold nothing but the static website: no user accounts, no file contents, no content database. Server logs contain only technically necessary access data with a short retention period; a data processing agreement with Hetzner is in place. Since file processing happens locally in your browser, your file contents never reach this location anyway.

Analytics and consent

The anonymous usage analytics (Google Analytics 4 with Consent Mode v2 Advanced) starts with all signals set to denied: without your consent, no analytics cookie is set and no identifier is created. With consent, at most page views and the id of the tool used are measured - never file names, file sizes or file contents. All details and legal bases are in the privacy policy.

Read the privacy policy

Common questions about security

Is gottrix.app secure?

Its security rests on architecture rather than promises: files are processed exclusively locally in your browser and never transmitted to any server - a strict Content-Security-Policy forbids the conversion code every foreign connection. On top of that come TLS 1.2/1.3 with HSTS, a complete set of security headers and hosting in Germany. Each of these points is verifiable yourself in the source, the network tab or via the airplane-mode test.

Are my files uploaded or stored anywhere?

No. Conversion runs entirely in your browser’s memory; there is no upload endpoint and no server-side storage for file contents. The Content-Security-Policy denies the engine and worker code any connection to foreign servers, and an automated test verifies that on every build. Close the tab and the data is gone - there is nothing that would need deleting server-side.

What encryption does gottrix.app use?

The website is delivered exclusively over HTTPS with TLS 1.2 and 1.3 and modern cipher suites; HSTS enforces HTTPS for two years including subdomains. Your file contents themselves never travel over any connection, because they never leave your device - transport encryption protects the delivery of the site and the optional, consent-based usage metadata.

Where are the servers hosted?

The origin servers are operated by Hetzner Online GmbH in Germany, under the GDPR. They hold nothing but the static website: no user accounts, no file contents, no content database. Because processing happens locally in your browser, the server location is irrelevant for your file contents - they never reach it at any point.

How can I verify these security claims myself?

Three ways that need no special expertise: the airplane-mode test (open a tool, disconnect, convert - it keeps working), the network tab of the developer tools (F12: no file request during conversion), and the response headers any browser can display. The step-by-step guide is on the proof page; at public launch, external scans by SSL Labs, Mozilla Observatory and securityheaders.com are added.

What data does gottrix collect at all?

Without your consent: no analytics cookies and no identifiers, only technically necessary server logs with a short retention period. With consent, Google Analytics 4 measures aggregated usage such as page views and the id of the tool used; file names, file sizes and file contents are never recorded. The full legal bases and how to withdraw consent are in the privacy policy.

How this is verifiable