OnlineRedactor

Security model

OnlineRedactor is designed around a narrow promise: redact PDFs in the browser, prove the selected extractable text was removed, and refuse PDFs that cannot be verified safely yet.

Current guarantees

  • PDF bytes are loaded, rendered, redacted, and verified in the browser.
  • Redaction uses MuPDF content-stream redaction, not cosmetic black rectangles.
  • Exports are re-opened and checked for leaked text fragments and text remaining inside redaction regions.
  • Scanned-only PDFs, fillable forms, document JavaScript, embedded attachments, and unsupported annotations are blocked before export.

Current limits

  • OCR redaction for scanned PDFs is not part of V1.
  • Password-protected PDFs are blocked until a verified password workflow is added.
  • Payment is paused while the AGPL public-source path remains the active licensing route.

Source and licensing

This deployment uses the AGPL-licensed MuPDF route. The corresponding source is public on GitHub, and paid checkout remains paused unless a commercial MuPDF license is purchased or the AGPL source-availability path remains the chosen business model.

Read license details