Scanner privacy and infra
Last updated .
What the scanner does in your browser
The scanner is client-side JavaScript. It reads your browser's fingerprintable surface — canvas, audio, WebGL, WebGPU, fonts, client hints, timezone, navigator properties, sensor APIs, media devices — and runs each probe to a verdict (Private / Leaking / Farbled / Spoofed / Unchanged) locally. Probe output stays in-tab. Fingerprint values are never transmitted to our server.
You can watch this happen. Open DevTools Network, run a scan, see that no probe posts a fingerprint value anywhere. The only outbound requests during a scan are to the two endpoints below.
What leaves the browser
GET /api/scan/nonce
Returns a 16-byte random token. The token's only job is to let the /headers
endpoint below confirm the request originated from a scanner session that loaded this page.
Storage: SQLite on tmpfs (RAM-backed, wiped on process restart). TTL: 60 seconds. Not
indexed by IP, user-agent, or anything else. After TTL, deleted.
GET /api/scan/headers
Echoes the HTTP request headers your browser sent on the request, so the in-page JavaScript
can compare JS-reported values (navigator.userAgent, navigator.userAgentData,
language) against what the network actually saw. Response is computed from the incoming
request; no state is stored server-side. The nonce is validated and burned; request logs
do not retain headers.
Lifetime of each data point
| Data point | Where | Lifetime |
|---|---|---|
| Probe fingerprint value | Your browser tab (memory) | Until tab closes |
| Nonce | Scanner backend (tmpfs SQLite) | 60 s |
| Request access log | Origin server /var/log | 7-day ring |
| CDN DNS query | Cloudflare (DNS-only) | Per Cloudflare policy |
DNS posture
Cloudflare sits in front of us as an authoritative DNS provider only. We do not use Cloudflare as a reverse proxy. No requests are proxied through Cloudflare's network. No Cloudflare analytics, no Cloudflare Bot Management, no Workers in the request path. The orange cloud is off.
This means Cloudflare sees DNS lookups for our domain. They do not see your browser's HTTPS traffic. If you are concerned about the DNS-level metadata, use a privacy-respecting DNS resolver (Quad9, NextDNS, Mullvad) and the information Cloudflare sees about you individually is close to zero.
Source code
- Site: github.com/vulnix0x4/privacy-hub-site — AGPL-3.0-or-later.
- Scanner backend: Roadmap · Phase 3 The nonce + headers + JA4 Docker services land in a public repository once the TLS sidecar reaches production. The site-level scan (22 client-side vectors) is already live and self-contained; Phase 3 adds the TLS/DNS observation pipeline.
Audit commitments
- 6-month infra audit. Before , we will publish an infra posture report: hosts, daemons, config deltas since launch, access-log samples, and a fresh TLS + JA3/JA4 scan of our own endpoints. The report lands in the changelog and is signed with the PGP key.
- 24-month deep audit. Before , an independent third-party security review of the scanner backend, with the report published verbatim. We pay; the auditor reports to the public.
- Quarterly asciinema attestation. Roadmap · Phase 3 Once per quarter we record a terminal session (via asciinema) showing the scanner backend's runtime state: no persistent storage, tmpfs mount, process tree, open ports. First attestation lands when the Phase 3 backend goes live. Published in the changelog.
What would trigger a breach disclosure
Anything that contradicts the table above. If the nonce store ever holds data beyond 60 seconds by design, that is a disclosure. If the access log ever crosses into analytics territory, that is a disclosure. If Cloudflare is ever promoted to proxying, that is a disclosure. Disclosures land at the top of the changelog, never quietly.