How to verify this tool doesn't upload your file
A 30-second test, in your own browser, without any tools beyond DevTools. Don't trust our promises — verify what the browser actually does.
The 30-second test
- Open DevTools → Network tab. Right-click anywhere on the main page and pick "Inspect," then click the "Network" tab. Tick "Preserve log" so requests don't clear when you drop a file.
-
Reload the page once.
You'll see a handful of requests — the HTML page itself, the
pdf-liblibrary, possibly the vendored decoders. Every URL should start withfreepdfcompressor.aanandambaba.workers.dev(or your IP if you saved it locally). No third-party domain. No analytics, no fonts, no CDN. - Drop a PDF into the page. Watch the Network tab as it processes. The list should not grow. The only thing that might appear is a one-time fetch of the WebAssembly decoder if your PDF is a scanned document (JBIG2 / JPEG2000 / CCITT-Fax) — and even that comes from this site, not anywhere else.
- Download the compressed result. A "blob:" URL appears in the network tab. That's a temporary in-memory URL — nothing is sent over the wire. Your browser is just handing the file to itself.
The browser is enforcing this — not us
Every response from this site includes a Content-Security-Policy header that tells your browser exactly what is and isn't allowed. The browser obeys the header regardless of what the JavaScript on the page tries to do. You can see the header by right-clicking the main page request in the Network tab and copying it.
Here is the literal CSP your browser receives:
default-src 'self'; script-src 'self' 'unsafe-inline' 'wasm-unsafe-eval'; style-src 'self' 'unsafe-inline'; img-src 'self' data:; font-src 'self'; connect-src 'self'; object-src 'none'; base-uri 'self'; form-action 'none'; frame-ancestors 'none'
The directive that matters most is connect-src 'self'. It means: the page can only make network requests to its own origin. No fetch(), no XMLHttpRequest, no WebSocket, no navigator.sendBeacon(), no Fetch from a Web Worker, can be sent to any other domain. If a future bug or rogue dependency tried, the browser would block the request before any byte left your machine.
The "same origin" is a Cloudflare-hosted static site. It serves files, period — there's no API endpoint to upload to, and no server-side code at all. So even a same-origin POST has nowhere to go.
What's in the page
The deployed page is exactly what you see in View Source. There is no minified app bundle, no build step, no compiled framework, no SPA router. The whole tool is one HTML file (about 1200 lines, readable top to bottom) plus a handful of vendored libraries that handle the PDF parsing and image decoding.
| File | Purpose | Source | Size | SHA-256 |
|---|---|---|---|---|
vendor/pdf-lib.min.js |
PDF parsing, structural rewrite, image XObject replacement. | pdf-lib v1.17.1 (MIT) | 525 KB | 0f9a5cad07941f0826586c94e089d89b918c46e5c17cf2d5a3c6f666e3bc694f |
vendor/jbig2-loader.jsvendor/jbig2.wasm |
JBIG2 + CCITT-Fax image decoding for scanned PDFs. Loaded lazily — only when a PDF using these formats is opened. | Mozilla pdf.js external/jbig2 (Apache-2.0) | 9 KB 105 KB |
28fc8b6686ba89e5ba4f1fe40dc51dd9fdfccfc2518776fe696ee8a2bdb290cd e6bee67724a7b5436fe8162638e3708cfc8d52b6342db69a49715e30ff27cfdc |
vendor/openjpeg-loader.jsvendor/openjpeg.wasm |
JPEG2000 image decoding for scanned PDFs. Loaded lazily. | Mozilla pdf.js external/openjpeg (BSD-2-Clause) | 14 KB 252 KB |
e59614b7593c45f6b3a2bcc847295107df233b8bf2833b1fcbbe4068da276a41 004a0e62db930ba9ff2a22212f4554d0bb57a0635a8287caf70f98117cee14ba |
To verify these match upstream, download the upstream files at the linked commit and run shasum -a 256 against each. They will match. The build artifacts themselves (the WASM binaries) are what Firefox ships internally — they handle the same scanned PDFs millions of users open every day.
What we don't load, ever
- No analytics provider. No Google Analytics, no Plausible, no Fathom, no Mixpanel — not even "privacy-friendly" analytics.
- No tracking pixels. No Facebook pixel, no LinkedIn insight, no Microsoft Clarity.
- No third-party JavaScript at all. No fonts from Google, no jQuery from a CDN, no embedded widgets.
- No advertising or affiliate scripts.
- No error-reporting service. No Sentry, no Bugsnag, no Rollbar.
- No A/B testing or feature-flag service.
- No "session replay" tools like FullStory or Hotjar.
- No cookies set by this site. No
localStorage, nosessionStorage, noIndexedDB. - No service worker that could intercept and exfiltrate your file.
- No social-share widgets that load Twitter / Facebook / LinkedIn scripts.
- No email-signup form. No newsletter integration.
What your hosting provider sees
The site is served by Cloudflare Workers. When you visit, Cloudflare's edge sees the same standard logs every web host sees: your IP address, the User-Agent string your browser sends, and the URLs you request. They do not see the contents of your PDF — nothing about your PDF ever travels over the network. We do not query, export, or analyze these logs.
If you want to hide even the fact that you visited the site, you can save the page (Ctrl/⌘+S → "Save as web page, complete"), copy the saved index.html and vendor/ folder to your own machine, and run the tool entirely offline. Or load it once over Tor.
What still requires trust
We aim to make as much as possible verifiable, but some things can't be reduced to a 30-second test:
- You have to trust that
pdf-liband the pdf.js WASM decoders don't have intentional backdoors. Both are widely-used open-source projects (millions of users); a hidden upload would have been noticed long ago. The links above point at the exact commit hashes we vendored, so you can review the source yourself. - You have to trust that the page you're seeing in your browser is the same page Netlify is serving. The CSP and View Source give you strong evidence, but a man-in-the-middle attacker could in principle modify the response. HTTPS (with HSTS, which this site has) is what prevents this in practice.
- You have to trust that your own browser is honest. Browsers from Mozilla, Apple, and Google are open-source or have been heavily audited. A modified browser, or a browser extension with broad permissions, could see your file. That's a problem no website can solve for you.