Local-first runtime
Most tools process input and output in your browser. External-request tools are labeled before network access.
byteflow.tools
Understand how byteflow.tools labels browser-local tools, external requests, sensitive inputs, storage, analytics, PWA cache behavior, security headers, and vulnerability reporting.
Most tools process input and output in your browser. External-request tools are labeled before network access.
External request tools disclose domains, purpose, and the kind of data your browser may send.
The app uses explicit trust labels, CSP-aware rendering, and a public vulnerability reporting path.
The tool runtime transforms input and output in the current browser tab without a tool-processing backend.
After the app shell and tool chunks have loaded, the core workflow can continue without network access when this label is present.
The tool can contact a disclosed network target only for the listed purpose and only when you run that external action.
The tool commonly handles tokens, keys, logs, certificates, URLs, or files, so verify the runtime boundary before pasting production data.
Use your browser Network panel to confirm whether a tool stays local or starts the disclosed external request.
The in-app Verification mode gives non-DevTools users a quick view of observed request hosts and storage keys. It is an aid only; use browser DevTools and source review for deeper assurance.
Offline behavior depends on the tool execution type and whether the app shell, page, and tool chunks have already loaded in this browser.
| Workflow type | Offline behavior | Cache and privacy boundary |
|---|---|---|
| Browser-local tools | Core transforms such as JSON formatting, Base64, Regex Tester, and UUID generation can run offline after the visited page and tool chunk are cached. | Only app shell, static assets, and code chunks are cached; tool input and output are not cached by the service worker. |
| File-based tools | Local file workflows such as image tools and HAR Sanitizer can run offline after their code is cached, using files selected from the current device. | Uploaded file contents stay in the page runtime and are not written to Cache Storage by default. |
| Pipeline Builder | Recipes made only of local steps can run offline after Pipeline Builder and the required step code have loaded. | Saved recipes store structure and safe options locally; runtime input, output, logs, and file contents are excluded by default. |
| External-request tools | Preview, lookup, and download actions that contact a disclosed remote host require network and show an offline error when unavailable. | External-request responses are network-only and are not cached by default. |
This table is generated from tool manifests so the Trust Center, privacy policy, and tool badges stay aligned.
| Tool | Domains | Purpose | Data sent |
|---|---|---|---|
| Instagram Photo Downloader | instagram.com | Download media from a URL you provide after you confirm you are allowed to use it. | The URL you provide may be requested by your browser. |
| Vimeo Thumbnail Grabber | vimeo.com, player.vimeo.com, vumbnail.com | Generate and preview public thumbnail image URLs derived from the video link you enter. | A derived public asset URL may be requested by your browser. |
| YouTube Thumbnail Grabber | youtube.com, youtube-nocookie.com, youtu.be, i.ytimg.com | Generate and preview public thumbnail image URLs derived from the video link you enter. | A derived public asset URL may be requested by your browser. |
Local storage is reserved for safe preferences such as theme, language, sidebar state, favorite tool IDs, recent tool IDs with timestamps, and local presets. Tool payloads, tokens, logs, file contents, full URLs, and generated outputs must not be persisted by default.
Analytics use an allowlisted event taxonomy and are disabled by default in runtime code. If a cookie-free aggregate provider is enabled, it may receive only safe event names and coarse parameters such as tool ID, action type, language, size bucket, result count, and source page. Tool input, output, JWTs, secrets, log bodies, file names, file contents, image contents, hash values, search query text, full URLs, user IDs, and session IDs are forbidden.
The PWA may cache versioned app shell files, static assets, icons, and tool chunks for offline use. External-request responses are network-only, and you can clear cached app files from the install page. Tool input, output, uploaded file content, and external-request responses must not be cached.
Security header checks guard transport security, referrer policy, content type sniffing, permissions policy, frame ancestors, object sources, and a CSP that avoids arbitrary script sources.
Tools that preview Markdown, HTML, SVG, or metadata should sanitize user-controlled markup and avoid relaxing CSP to make previews work.
Report suspected vulnerabilities through private GitHub Security Advisories. Use public issues only for non-security bugs or feature requests, and never include production secrets or private payloads in public reports.
No. Browser-local tools can continue offline after assets are cached, but tools marked External request need network access for the disclosed action.
Tool payloads are not meant to be stored by default. Storage is limited to safe preferences and local presets that must not contain sensitive payloads.
Check the tool trust header and this generated external request table, then verify in DevTools that network access starts only after your explicit action.