This is a client-side application with no backend. All data is stored locally in the browser's localStorage.
| Version | Supported |
|---|---|
| Latest | ✅ |
- All user inputs are sanitized using
escapeHtml()function - innerHTML usage is carefully controlled and escaped
- No
eval()orFunction()constructor usage - URL sanitization blocks
javascript:,data:, andvbscript:schemes viasanitizeUrl()function
- All data stored in localStorage (client-side only)
- No sensitive data transmission to external servers
- JSON parsing with error handling
- localStorage quota exceeded handling
- CDN scripts include Subresource Integrity (SRI) hashes
- CORS and referrer policies configured
- Integrity checks for jsPDF and html2canvas libraries
CSP meta tag configured with restrictive policy:
| Directive | Value | Purpose |
|---|---|---|
default-src |
'self' |
Only same-origin resources by default |
script-src |
'self' + CDN hosts |
No unsafe-inline - all scripts are external files |
style-src |
'self' 'unsafe-inline' + Tailwind |
Required by Tailwind CSS CDN JIT compiler |
img-src |
'self' data: |
Canvas export support, no external https: |
connect-src |
'self' |
Only same-origin fetch requests |
frame-ancestors |
'none' |
Prevents clickjacking |
base-uri |
'self' |
Prevents base tag hijacking |
form-action |
'self' |
Forms submit only to same-origin |
Additional measures:
- External link targets use
rel="noopener noreferrer"to prevent tabnabbing - Referrer-Policy set to
strict-origin-when-cross-origin
Known Limitations:
style-src 'unsafe-inline'is required by Tailwind CSS CDN's JIT compiler- GitHub Pages does not support custom HTTP headers (X-Frame-Options, X-Content-Type-Options)
If you discover a security vulnerability, please report it by:
- DO NOT create a public GitHub issue
- Contact the repository owner directly through GitHub
- Provide detailed information about the vulnerability
- Allow reasonable time for a fix before public disclosure
We take security seriously and will respond promptly to legitimate security concerns.
- Local Storage Only: All data is stored in your browser. Clear browser data will delete all checklists.
- No Account Required: This tool runs entirely in your browser with no user authentication.
- Backup Important Data: Export your checklists as JSON files for backup purposes.
- Browser Security: Keep your browser updated for the latest security patches.
- Public Computer Warning: Do not use this tool on public/shared computers for sensitive equipment lists.
This application uses:
- Tailwind CSS (CDN) - Styling framework
- jsPDF (CDN with SRI) - PDF generation
- html2canvas (CDN with SRI) - HTML to canvas conversion
All dependencies are loaded from trusted CDNs with integrity checks where possible.
- No Analytics: This application does not use Google Analytics or any tracking.
- No Cookies: No cookies are set by this application.
- No External Data Transmission: All data remains in your browser's localStorage.
- GitHub Pages Hosting: Standard GitHub Pages privacy policy applies.
This project is licensed under the MIT License - see the LICENSE file for details.