Security & Responsible Disclosure
The Free AI Tools emphasizes local processing, browser hardening headers, sanitized previews, and careful handling of remote lookups. This page outlines the current security posture and how to report vulnerabilities.
Last updated: May 6, 2026
Security posture
Most tools process content locally in the browser — your files and inputs are never uploaded to an app server.
Security headers are configured for clickjacking protection, MIME sniffing prevention, referrer policy, and content restrictions.
User-controlled HTML preview paths are sanitized before rendering.
Remote-request tools block local, private, and reserved hosts to prevent server-side request forgery.
Threats we actively reduce
| Threat | Mitigation |
|---|---|
| XSS | Sanitized previews and safer highlighting/rendering paths throughout. |
| SSRF-style abuse | Localhost, RFC1918, link-local, and reserved targets are rejected in browser lookup tools. |
| Unsafe XML/tag output | Tool output is escaped before rendering or download. |
| Unnecessary attack surface | Placeholder endpoints and unsupported public links have been removed from production. |
Browser support target
The app is designed for current evergreen versions of Chrome, Firefox, Safari, Edge, Brave. Some advanced tools depend on Web Crypto, Canvas, MediaRecorder, AudioContext, Clipboard, or File APIs, so behavior can vary in older or restricted browsers.
Responsible disclosure
If you believe you have found a security issue, please contact us at security@thefreeaitools.com. Provide a clear description of the issue, the steps to reproduce it, and any relevant screenshots or proof-of-concept.
Please avoid the following during disclosure testing:
- Destructive or irreversible testing
- Social engineering of any person
- Denial-of-service attempts
- Accessing data that does not belong to you
The published policy is also available at /.well-known/security.txt.
Important note
This page describes engineering controls, not a legal guarantee or certification. If you need formal compliance review, please conduct an independent security and legal assessment for your deployment context.
Contact
For security disclosures or general inquiries, use the appropriate channel below:
| Purpose | |
|---|---|
| General enquiries | hello@thefreeaitools.com |
| Support & tool issues | support@thefreeaitools.com |
| Security disclosures | security@thefreeaitools.com |
| Other | info@thefreeaitools.com |