Security
Last updated: April 2026
How Vothlab Works
Every tool on Vothlab runs entirely inside your browser. No data is sent to any server — there is no backend, no database, and no user accounts. When you paste a JWT token, type a password, or upload a file, that data never leaves your device.
The site is served as a static bundle from AWS S3 + CloudFront. There is no server-side processing of any kind.
Security Practices
- ✓All tool output that renders HTML is sanitized before display to prevent cross-site scripting.
- ✓Passwords are generated using a cryptographically secure random number generator built into the browser.
- ✓Cryptographic hashes are computed using the browser's native Web Cryptography API.
- ✓JWT decoding is client-side only. Signatures are never verified — the tool is for inspection, not authentication.
- ✓Weak hash algorithms are flagged in the UI with a security warning.
- ✓Input size limits are enforced across tools to prevent browser resource exhaustion.
- ✓No analytics, no tracking scripts, no third-party data collection of any kind.
Responsible Disclosure
If you discover a security vulnerability in Vothlab, please report it responsibly. We appreciate the effort and will credit you publicly if you wish.
Option 1 — Email
support@vothlab.comOption 2 — Bug report
Use the icon in the top-right corner of any page to submit a report directly from the site.
Please include a clear description of the vulnerability, steps to reproduce, and your assessment of impact. We aim to respond within 48 hours.
Scope
The following are in scope for responsible disclosure:
- →Cross-site scripting (XSS) in any tool output or preview
- →Unintended network requests transmitting user data
- →Bypass of HTML sanitization in rendered output
- →Prototype pollution via parsed data formats
Out of scope: denial of service against the static CDN, brute-force attacks, social engineering, and issues requiring physical access to a device.