Security Practices
MiOffice is architected so your files never leave your browser. There is no file data to intercept, leak, or breach.
Security Architecture
The Best Security Is No Data
Traditional file converters upload your files to their servers, process them, and send results back. Each step creates attack surface: transmission interception, server-side storage vulnerabilities, insider access, and third-party data sharing. MiOffice eliminates all of these by processing files entirely in your browser using WebAssembly.
Security Measures
SSL/TLS Encryption (HSTS Preload)
All connections use TLS 1.3 encryption. HSTS (HTTP Strict Transport Security) is enabled with preload, meaning browsers will only ever connect via HTTPS. Certificate managed by Caddy with automatic renewal.
Zero File Upload Architecture
Files are read using the browser's File API into local memory. Processing occurs via WebAssembly (FFmpeg, ONNX Runtime, pdf-lib) and Web Workers. Verify yourself: open browser DevTools → Network tab → no file data transmissions.
Security Headers
Every response includes hardened security headers to prevent common web attacks.
| Header | Value | Protection |
|---|---|---|
| Strict-Transport-Security | max-age=63072000; preload | Forces HTTPS |
| X-Content-Type-Options | nosniff | MIME sniffing |
| X-Frame-Options | SAMEORIGIN | Clickjacking |
| Referrer-Policy | strict-origin-when-cross-origin | URL leakage |
| Cross-Origin-Opener-Policy | same-origin | Cross-origin isolation |
| Cross-Origin-Embedder-Policy | require-corp | Resource isolation |
WebAssembly Sandbox
File processing runs in the browser's WASM sandbox — a memory-safe, isolated execution environment. WASM modules cannot access the filesystem, network, or any browser APIs beyond what is explicitly granted. Even the processing code itself is sandboxed.
No Account, No PII
No registration, no login, no email collection. We store no personally identifiable information. No passwords to breach, no accounts to compromise, no personal data to leak.
Threat Model Comparison
| Threat | MiOffice | Server-Based Tools |
|---|---|---|
| Man-in-the-middle (file interception) | Not possible | Risk during upload/download |
| Server-side data breach | Not possible | Files stored temporarily |
| Insider access to files | Not possible | Employees can access |
| Third-party data sharing | Not possible | Subprocessors possible |
| Government data request | Nothing to provide | May comply |
| Account credential theft | No accounts exist | Password reuse risk |
Security Verification
You can independently verify our security practices using these free tools:
SSL Labs
Test our SSL/TLS configuration and certificate chain at ssllabs.com/ssltest
Security Headers
Verify our HTTP security headers at securityheaders.com
Browser DevTools
Open Network tab while using any tool — confirm zero file data leaves your browser.
Mozilla Observatory
Scan our site at observatory.mozilla.org for comprehensive security analysis.
The safest way to convert files online
No upload. No storage. No risk. Start converting securely.