Skip to main content
CSV First Aid

Security & Privacy

Your data never leaves your device. You can verify this in under a minute.

The file stays in your browser

When you drop a CSV, it lands in your browser's memory. Processing runs locally — JavaScript and WebAssembly inside the tab — and the result is handed straight back. The only outbound traffic is loading the app code itself.

No analytics on your file content

Row counts, column names, cell values — none of it reaches us. For visitor stats we use Cloudflare Web Analytics: cookieless, no fingerprinting, no third-party trackers. It counts page views and rough origin (URL, country, referrer) and stops there. It can't see your file because the file never leaves the tab.

HTTP security headers

Every response sets HSTS, X-Frame-Options DENY, a tight CSP, and strict Referrer-Policy. Check them yourself with `curl -I https://csvfirstaid.com` — or with any HTTP header checker.

CSV injection protection

A cell starting with =, +, -, or @ can run as a formula in Excel — attackers have used this to exfiltrate data through shared exports. On export we prefix those cells with a single quote, so Excel reads them as plain text.

You can check it yourself

There's no "trust us" here. Open DevTools → Network, drop a file, and process it. You'll see zero requests carrying your file data. For that to stop being true, we'd have to change the client code — and you'd see the new bundle on your next visit.