Local-first runtime
Most tools process input and output in your browser. External-request tools are labeled before network access.
Use this guide as an operational checklist, then run the linked tools to validate changes immediately.
byteflow.tools
Understand how byteflow.tools labels browser-local tools, external requests, sensitive inputs, storage, analytics, PWA cache behavior, security headers, and vulnerability reporting.
Most tools process input and output in your browser. External-request tools are labeled before network access.
External request tools disclose domains, purpose, and the kind of data your browser may send.
The app uses explicit trust labels, CSP-aware rendering, and a public vulnerability reporting path.
The tool runtime transforms input and output in the current browser tab without a tool-processing backend.
After the app shell and tool chunks have loaded, the core workflow can continue without network access when this label is present.
The tool can contact a disclosed network target only for the listed purpose and only when you run that external action.
The tool commonly handles tokens, keys, logs, certificates, URLs, or files, so verify the runtime boundary before pasting production data.
Use your browser Network panel to confirm whether a tool stays local or starts the disclosed external request.
This table is generated from tool manifests so the Trust Center, privacy policy, and tool badges stay aligned.
| Tool | Domains | Purpose | Data sent |
|---|---|---|---|
| Instagram Photo Downloader | instagram.com | Download media from a URL you provide after you confirm you are allowed to use it. | The URL you provide may be requested by your browser. |
| Vimeo Thumbnail Grabber | vimeo.com, player.vimeo.com, vumbnail.com | Generate and preview public thumbnail image URLs derived from the video link you enter. | A derived public asset URL may be requested by your browser. |
| YouTube Thumbnail Grabber | youtube.com, youtube-nocookie.com, youtu.be, i.ytimg.com | Generate and preview public thumbnail image URLs derived from the video link you enter. | A derived public asset URL may be requested by your browser. |
Local storage is reserved for safe preferences such as theme, language, sidebar state, recent tool IDs, and local presets. Tool payloads, tokens, logs, file contents, and generated outputs must not be persisted by default.
Analytics are limited to aggregate product signals such as page views and safe event names. Tool input, output, JWTs, secrets, log bodies, file contents, image contents, search query text, and full URLs are not analytics fields.
The PWA may cache the app shell, static assets, icons, and tool chunks for offline use. It must not cache tool input, tool output, uploaded file content, or external-request responses.
Security header checks guard transport security, referrer policy, content type sniffing, permissions policy, frame ancestors, object sources, and a CSP that avoids arbitrary script sources.
Tools that preview Markdown, HTML, SVG, or metadata should sanitize user-controlled markup and avoid relaxing CSP to make previews work.
Report suspected vulnerabilities through GitHub Security Advisories or the repository issue process. Do not include production secrets or private payloads in public reports.
No. Browser-local tools can continue offline after assets are cached, but tools marked External request need network access for the disclosed action.
Tool payloads are not meant to be stored by default. Storage is limited to safe preferences and local presets that must not contain sensitive payloads.
Check the tool trust header and this generated external request table, then verify in DevTools that network access starts only after your explicit action.