Blokwork is a privacy-focused, offline-first text management application. Security and user privacy are core design principles.

• No Server Communication: All data stays in your browser
• No Tracking: No analytics, telemetry, or external connections
• No Authentication Required: Your data never leaves your device

Blokwork implements a strict Content Security Policy:

• default-src 'none' - Deny all by default
• script-src 'self' - Only local JavaScript allowed
• style-src 'self' - Only local CSS allowed
• connect-src 'none' - No external connections
• frame-ancestors 'none' - Prevents clickjacking

• DOMPurify Integration: All markdown content is sanitized before rendering
• URL Validation: Strict protocol whitelist (http, https, mailto, tel only)
• Prototype Pollution Protection: Validated JSON structure on import
• Size Limits: All user inputs have maximum size constraints

• Dangerous protocols blocked (javascript:, data:, file:)
• All external links open with noopener noreferrer
• Automatic HTTPS upgrade for bare domain URLs
• URL normalization to prevent malformed input

• Comprehensive JSON structure validation
• Type checking on all properties
• Timestamp validation
• Required field enforcement

All data is stored in browser localStorage:

• Scoped to Origin: Data is isolated per domain
• User Controlled: Clear data anytime via browser settings
• No Expiration: Data persists until manually cleared
• Export/Import: Full control over data portability

Blokwork is a single-page application. Always use the latest version deployed at the main GitHub Pages URL.

If you discover a security vulnerability in Blokwork, please report it responsibly:

• Open a GitHub Issue with details of the vulnerability
• Provide steps to reproduce (if applicable)
• Allow reasonable time for a response before public disclosure
• Suggest a fix or mitigation if possible

• Exploit the vulnerability beyond what's necessary to demonstrate it
• Share the vulnerability publicly before it's addressed
• Use the vulnerability for malicious purposes

1. Description of the vulnerability
2. Steps to reproduce the issue
3. Potential impact of the vulnerability
4. Suggested fix (if you have one)
5. Browser/OS details where tested

• Initial Response: Within 7 days
• Status Update: Within 14 days
• Fix Timeline: Depends on severity (critical issues prioritized)

• All data is stored locally in your browser
• Clear browser data to permanently delete your information
• Export regularly to back up your data
• Don't share exported JSON files with untrusted parties

• Only import JSON files from trusted sources
• Review URLs before clicking external references
• Be cautious with content from unknown sources
• Keep your browser up to date

• Use the built-in export function regularly
• Store backups in a secure location
• Test imports periodically to ensure data integrity

• localStorage has size limits (typically 5-10MB)
• Large datasets may hit storage quotas
• Export data if approaching limits

• Requires modern browser with ES6+ support
• localStorage must be enabled
• JavaScript must be enabled

• No cloud sync or multi-device support
• No collaborative editing features
• Data exists only in the browser where it's created

Blokwork uses the following vetted open-source libraries:

• Marked.js (MIT License) - Markdown parsing
• DOMPurify (Apache-2.0 or MPL-2.0) - HTML sanitization

Both libraries are included locally (not loaded from CDN) to maintain offline functionality and security.

For security concerns or questions:

• Open a GitHub Issue (preferred)
• Submit a Pull Request with fixes

Thank you for helping keep Blokwork secure!