Privacy

All five tools (Email Header Analyzer, Image Metadata Viewer, PDF Metadata Viewer, EXIF Metadata Scrubber, File Hash Generator) run entirely in your browser. The email header you paste, the image or PDF you drop, the file you hash, none of it leaves your machine. There is no API endpoint on the server that accepts that data.

You can verify this in your browser's developer tools by opening the Network tab and using a tool. You'll see the page load, the CSS and JavaScript load, and then nothing else. No POST requests, no XHR, no fetch calls.

The server is a small Node/Express app that hands out static files. When you load a page, your browser makes an HTTP request that goes through Hostinger's CDN and then to the Node process. The standard web server access log records what every web server logs: your IP address, the URL you requested, the user agent string, and a timestamp. This is intrinsic to running any website and happens at the hosting layer.

The site does not collect, ship, store, or read those logs beyond what Hostinger does by default for infrastructure operations. There is no application-level logging of user inputs because the tools never send any inputs to the server in the first place.

There is one server endpoint that's not a static file: /health, which returns a small JSON status object. It accepts no input.

Nothing on these pages is loaded from a third party. The fonts (Inter, JetBrains Mono) are self-hosted. The CSS and JavaScript come from the same origin as the page. There are no ad networks, no analytics scripts, no fingerprinting libraries, no chat widgets, no embedded videos, no social share buttons that phone home, no Google Fonts CSS, no jsDelivr scripts.

This is enforced by the page's Content Security Policy, which is set to 'self' for scripts, styles, fonts, and connections. If an accidental third-party include ever slipped into a template, your browser would refuse to load it and you'd see a CSP violation in the console.

I use Google Search Console to see how Google indexes this site. GSC is a dashboard on Google's side that shows aggregate data about Google's own crawler and the search queries that lead people here. It doesn't add any script, pixel, or code to these pages. Setting it up required adding a DNS TXT record to prove I own the domain. Nothing about your visit reaches GSC because of how it's wired; it works off Google's own crawl data, not anything I instrument here.

This is different from Google Analytics, which would put a tracking script on every page. I don't use Google Analytics or any other analytics product. There are no analytics on this site, period.

The site sets no cookies.

The Email Header Analyzer writes one preference to your browser's localStorage: whether you opened the "How do I get a raw email header?" disclosure. Opening it once probably means you want it open next visit too. That value lives in your browser only. Nothing is sent to the server. Clear your site data in browser settings to remove it.

Don't take this page's word for any of the claims above. Your browser already has the tools to check.

Open the developer tools (F12 in most browsers, or right-click anywhere on a page and choose Inspect) and switch to the Network tab. Now use one of the tools. Paste a header, drop an image, drop a file. You'll see the page itself load, the CSS and JavaScript load, and then nothing else. No POST requests. No fetch calls. No outbound traffic to anywhere once the page is loaded. The network panel doesn't lie, and the site can't claim something it would contradict.

If you want to go deeper, the Console tab will flag any Content Security Policy violation. There shouldn't be any. If a future change ever caused one, you'd see it there.