NoSend Tools
ja en

SECURITY

Security and audit procedures

The procedures and policies that keep "runs entirely in the browser" a claim a third party can verify rather than a marketing line.

Runtime audit via DevTools

On any tool page, open DevTools (Chrome / Firefox / Safari), switch to the Network tab, enable Preserve log, and start recording. Exercise the tool normally — pick files, run, download the result. The requests shown will be limited to (a) the initial HTML / JS / CSS for the page, (b) WASM artefacts for libraries (ffmpeg.wasm, the kuromoji dictionary, etc.) on first use, and (c) shared analytics / ad SDKs (Cloudflare Web Analytics and Google AdSense).

No request will carry user input as its body. If one ever did, the site's claim would be broken in that moment. The procedure needs no specialised security tooling — a browser is enough.

Open source plus dependency audit

The site's source is on GitHub at otomomik/nosend-tools. Each tool's implementation lives at `src/tools/<category>/<slug>/`, and you can verify at code level that none of them pipe user input into `fetch`.

Every npm dependency is enumerated on the /libraries page with its license, version, and repository URL. The list is generated by `pnpm licenses:gen` scanning `node_modules`, and refreshed on every build.

Dependency selection criteria

When introducing a new npm dependency, AGPL / SSPL / Commons Clause are off-limits. These propagate their obligations when the software is exposed over a network, which can infect the whole site. GPL / LGPL are acceptable as long as the source remains public; MIT / Apache-2.0 / BSD are preferred.

The second filter is maintenance and audit visibility: commits in the past year, more than one maintainer, and a clearly tracked issues channel for vulnerability reports. `pnpm audit` is run as part of CI, and any newly-disclosed CVE triggers an update.

What the operator does collect

Tool input is not transmitted, but the operator does collect a minimum of operational data. Cloudflare Web Analytics measures aggregate site usage without cookies or fingerprinting. Reports submitted through the Report dialog are stored in Cloudflare D1 to drive improvements — this is the single intentional outbound path (see the Privacy Policy).

Google AdSense loads its SDK for ad serving. Cookies may be used to tailor ads based on browsing across sites. The site's own code does not contain a path that transmits actual tool input to the ad provider. Users running an ad blocker will see no difference in tool behaviour.