← Back to Decision Matrix
Safety Protocols & Security
Last Updated: January 2026
Security-First Design: vitsi.xyz implements multiple layers of security to protect users and prevent attacks.
1. Input Sanitization
All user inputs are sanitized to prevent:
- XSS Attacks: HTML and script tags are stripped
- Code Injection: JavaScript event handlers are removed
- Protocol Injection: javascript: and data: protocols are blocked
- Length Limits: Inputs are limited to prevent DoS attacks
2. Data Validation
All data is validated before processing:
- Data structure validation
- Type checking (strings, numbers)
- Range validation (0-100 for weights, 0-10 for scores)
- Array length limits (max 50 criteria, 50 options)
3. No Server-Side Storage
Zero Data Transmission: All data remains in your browser. Nothing is sent to our servers, eliminating risk of data breaches or leaks.
4. Content Security Policy
Strict CSP headers prevent:
- Unauthorized script execution
- Inline script injection
- External resource loading (except approved CDNs)
- Frame embedding (clickjacking protection)
5. Security Headers
HTTP security headers protect against:
X-Content-Type-Options: nosniff - Prevents MIME sniffingX-Frame-Options: DENY - Prevents clickjackingX-XSS-Protection - Browser XSS filterReferrer-Policy - Limits referrer informationPermissions-Policy - Restricts browser features
6. URL Sharing Safety
Shared URLs use Base64 encoding:
- Data is validated before decoding
- URL length is limited to prevent abuse
- Decoded data is sanitized before use
- No server-side processing of URLs
7. LocalStorage Security
Browser localStorage is used safely:
- Data is validated before saving
- Data is sanitized before loading
- Error handling prevents crashes
- Users can clear data anytime
8. No External Dependencies (Except Chart.js)
The Service uses only:
- Chart.js from cdn.jsdelivr.net (read-only visualization)
- No analytics, tracking, or data collection libraries
- No third-party APIs that could leak data
9. Best Practices
Users should:
- Keep browser updated
- Use browser security features
- Be cautious when sharing URLs
- Clear data when using shared devices
10. Reporting Security Issues
If you discover a security vulnerability, please:
- Do not publicly disclose until resolved
- Provide detailed information about the issue
- Allow reasonable time for fixes
Note: While we implement strong security measures, no system is 100% secure. Use the Service at your own discretion and do not input highly sensitive information.