Effective July 11, 2026
Your tool data stays in the browser
Encoder input and output, steganography images, passphrases, extracted messages, Markdown documents, previews, and generated downloads are processed by JavaScript in your browser. The application has no upload endpoint for this content.
No advertising or third-party analytics code
Tool pages do not load advertising pixels, tag managers, or third-party analytics scripts. Application code and libraries are self-hosted. The site does not set account or advertising cookies.
Limited browser storage
The theme preference may be stored in local storage. A service worker may cache public static assets and the offline notice. It does not cache nonce-bearing tool pages or document content. Clearing this site's browser data removes those local items.
What the hosting layer can observe
As with any website, the hosting and network layers may create standard access or security logs containing request time, requested path, IP address, user agent, and error details. Query strings can appear in such logs, so do not place secrets in page URLs. Tool textarea, file, and passphrase values are not submitted with page requests.
Security boundaries and limitations
- Base64, URL encoding, HTML entity encoding, and hexadecimal conversion are representations—not encryption or sanitization guarantees.
- Steganography version 2 authenticates its envelope. Passphrase mode uses a 600,000-iteration PBKDF2-SHA-256 derivation and AES-256 encryption. A strong, unique passphrase remains essential.
- Social networks and image editors may resize or recompress PNG files and destroy hidden bits. Keep the original downloaded PNG.
- The Markdown preview disables raw HTML and sanitizes parsed output. Authored links or images in an exported file may contact their destinations when that file is opened elsewhere.
- No web application can protect data from a compromised browser, malicious extension, infected device, or someone with access to your screen or clipboard.
Security reporting
To report a vulnerability, email contact@universalencoderdecoder.com with reproduction steps, affected URL, impact, and a safe proof of concept. Please do not include real user secrets or perform destructive testing against the live service.