Security.

freebmicalculatoronline.com is built to be as small and as honest a tool as possible. The security model follows from a single design choice: the site has no backend. Every number you compute is computed in your browser, on your device, and is never sent to us. This page lists exactly what that means, what we do on top of it, and where the limits of in-browser security still apply.

What we do

1. No backend. No database. No server-side state.

The site is generated as static HTML at build time and served from a global CDN. There is no application server, no API, no database, and no user account system. Your weight, height, age, gender, and waist circumference never leave your device. The only network requests made by the calculator itself are:

• The initial HTML document.
• The CSS and JavaScript bundles (cached by the CDN edge and your browser).
• The self-hosted font files (Geist + Geist Mono, 52 KB total, served from the same origin).

That is the entire attack surface. There is nothing to breach, no credentials to leak, no data to exfiltrate, because we never had it in the first place.

2. No third-party trackers by default

There is no Google Analytics, no Meta Pixel, no Hotjar, no Microsoft Clarity, no Mixpanel, no Segment — and no other analytics or retargeting script. The only third-party that can load is Google AdSense, which loads on every page. The cookie consent banner controls whether the ads shown are personalised (selected by our advertising partners using cookies in your browser) or non-personalised (contextual, with no tracking of your browsing history). The calculator and all on-site features work the same either way; the choice only affects the relevance of the ads you see.

The full list of cookies the site can set is in the Privacy Policy.

3. Strict security headers (every page)

The following headers are set on every response. They are configured for Cloudflare Pages (public/_headers), Vercel (vercel.json), and Netlify (netlify.toml) so the policy is the same regardless of where you deploy.

• X-Content-Type-Options: nosniff — prevents the browser from guessing a MIME type and reduces drive-by exploit risk.
• X-Frame-Options: DENY — the site cannot be embedded in an <iframe> on a third-party domain. Protects against clickjacking.
• Referrer-Policy: strict-origin-when-cross-origin — full referrer sent to same-origin, only origin (not path) sent cross-origin.
• Permissions-Policy: camera=(), microphone=(), geolocation=(), interest-cohort=() — explicitly disables APIs the site never needs, and opts out of FLoC/Topics tracking.
• Strict-Transport-Security: max-age=63072000; includeSubDomains; preload — once a user has visited over HTTPS, browsers refuse to downgrade to HTTP for two years.
• Cross-Origin-Opener-Policy: same-origin — isolates the browsing context to mitigate side-channel attacks like Spectre.
• Content-Security-Policy — set via a <meta> tag in the page <head>. Restricts which origins can run script, load images, and connect. A CSP report-only violation triggers nothing in normal browsing; a real one would be visible in browser DevTools.

4. Cookies & consent

A localStorage.fbcoConsent:v1 key records whether you clicked Accept (personalised ads) or Decline (non-personalised ads) on the cookie banner. We don't use that value for tracking; we pass it to the ad network so it can decide which ad inventory to serve. The site itself never reads the value for any other purpose.

The site does not use any first-party analytics. We do not have access to your IP address beyond what the CDN log captures (which we never read and which Cloudflare rotates within 30 days).

5. Service worker is offline-only, never stores inputs

A service worker (/sw.js) is registered on HTTPS and localhost only. It caches the calculator shell and static assets so the page works offline, but it never caches form inputs, query parameters, or POST bodies. The worker's cache is also versioned; an updated deploy purges the old cache automatically.

6. Dependencies are minimal and pinned

The site uses Astro and Tailwind CSS, plus four small npm packages. The total JavaScript shipped to the browser is under 50 KB gzipped. There is no client framework runtime, no jQuery, no Lodash, no React, no Vue, no Svelte. Smaller surface area means fewer CVEs.

7. Dependencies are auditable

Every JavaScript file loaded by the page is part of the built bundle and contains no remote imports. The only external resources fetched are the self-hosted woff2 font files, served from the same origin.

What we don't do — and why it matters

• We don't store your inputs. There is no server to store them on. Note: your browser does store your last form values in localStorage (key bmiCalcState:v1) so the form restores on reload. You can clear this in your browser's site data settings at any time.
• We don't track you across the web. No retargeting pixels, no shared identity, no cross-site cookies.
• We don't sell data. There is no data to sell.
• We don't run user-uploaded code. The site is read-only for visitors.
• We don't log calculator inputs. We can't, technically — we never receive them.

Threat model — what this site is, and isn't, designed for

The security model above protects against:

• Mass data breaches (no data is collected, so none can be breached).
• Cross-site tracking and ad-tech fingerprinting (disabled by default).
• Clickjacking (X-Frame-Options: DENY).
• Man-in-the-middle attacks (HSTS, HTTPS-only).
• Drive-by JavaScript injection (CSP, no third-party scripts by default).
• Cross-origin data exfiltration (Permissions-Policy, Referrer-Policy).

It does not protect against:

• Someone looking at your screen over your shoulder ("shoulder-surfing"). Use a privacy screen if you care.
• Malicious browser extensions that read the DOM. Install only extensions you trust.
• Your own device being compromised. If your laptop is hacked, the calculator is the least of your problems.
• The fact that any site can be gamed by determined ad-fraud actors. We block obvious abuse but cannot guarantee 100% prevention.

Reporting a vulnerability

If you have found a security issue — XSS, an exposed endpoint, an information leak, anything — please email codemindsx@gmail.com with a clear description and a reproduction. We respond to legitimate reports within a few business days.

We do not run a paid bug-bounty program, but we credit reporters in the release notes for any responsible disclosure that leads to a fix.

Compliance summary

• GDPR (EU) — no personal data is collected by default; the consent banner is the only data-collection gate; users can decline.
• CCPA (California) — no personal information is sold or shared because none is collected. The contact form collects only what the user types and sends it to one inbox.
• COPPA (US children) — the site does not target under-13 users, does not knowingly collect their data, and offers no accounts. If a parent believes a child submitted data via the contact form, write to codemindsx@gmail.com and we will delete it.
• HIPAA — the site is not a covered entity and does not handle protected health information. Do not enter protected health information into the contact form.
• WCAG 2.1 AA — accessibility is part of the security story. The site is keyboard-operable, screen-reader-friendly, and contrast-checked.

Related pages

• Privacy Policy
• Terms of Service
• Disclaimer
• Contact