Security

1. Architecture & data handling

1.1 Client-side calculation

The core CIDR calculation logic runs entirely in your browser using JavaScript. IP ranges, subnet designs, and similar inputs you type into our calculators are not transmitted to our servers. This is the most important security guarantee of the Service: even if our servers were compromised, your subnet designs would not be exposed because we never receive them in the first place.

The exception is when you explicitly choose to save a design to a logged-in account (when account features are available). In that case, the data is transmitted over HTTPS and stored encrypted.

1.2 No long-term server-side logs of inputs

Our servers log request metadata (IP address, timestamp, user agent, URL path) for operational and security purposes for up to 90 days. Calculation inputs are never logged because they never reach our servers.

2. Transport security

• HTTPS everywhere — all traffic is encrypted using TLS 1.2 or higher
• HSTS — HTTP Strict Transport Security headers prevent downgrade attacks
• Modern cipher suites — we follow Mozilla's "modern" TLS configuration where supported
• HTTP/2 — used for performance and connection efficiency

3. Application security

• Content Security Policy (CSP) — restricts script sources to defend against XSS
• X-Content-Type-Options: nosniff — prevents MIME-type confusion attacks
• X-Frame-Options / frame-ancestors — prevents clickjacking
• Subresource Integrity (SRI) — for third-party scripts where supported
• Input validation — all calculator inputs are validated against strict formats before processing
• No eval() — we do not use eval() or other dynamic-code execution in calculator logic

4. Infrastructure

• Hosting — the site is hosted on a major cloud provider with SOC 2 / ISO 27001 attestations
• CDN — Cloudflare provides DDoS mitigation and edge caching
• Automated patching — dependencies are continuously monitored for vulnerabilities
• Access controls — administrative access requires multi-factor authentication
• Audit logging — administrative actions are logged for review

5. Account & authentication security

When account features are enabled:

• Passwords are stored using argon2id hashing with per-user salts
• Session tokens are HttpOnly, Secure, SameSite=Lax cookies
• Two-factor authentication (TOTP) is supported
• SSO via Google, Microsoft, and Okta is supported on team and enterprise plans
• Account deletion immediately purges personal data; backups are purged within 30 days

6. Third-party services

We use a small set of vetted third-party services. Each has its own security and privacy practices:

• Google Analytics — anonymized usage analytics
• Google AdSense — display advertising
• Adsterra — display advertising
• Cloudflare — CDN and DDoS protection

See our Privacy Policy for full details on what these services collect.

7. Responsible disclosure

If you discover a security vulnerability, we ask that you disclose it responsibly:

7.1 How to report

Email contactus@cidrcalculator.net with the subject line "Security Disclosure". Please include:

• A description of the vulnerability
• Steps to reproduce
• Affected URL(s) or component(s)
• Potential impact
• Your contact information (optional)

7.2 What we ask of you

• Provide a reasonable amount of time for us to investigate and fix the issue before public disclosure (typically 90 days)
• Avoid testing that could degrade the Service, expose user data, or violate privacy
• Do not exploit the vulnerability beyond what is necessary to demonstrate it
• Do not access, modify, or delete user data

7.3 What we commit to

• Acknowledge your report within 3 business days
• Provide a substantive response within 14 business days
• Keep you informed of progress
• Credit you publicly (if you wish) once the issue is resolved
• Not pursue legal action against good-faith researchers who follow this policy

8. Scope

In scope for security reports:

• cidrcalculator.net and its subdomains
• Application logic, authentication, authorization
• Data handling and storage

Out of scope:

• Issues in third-party services (report to them directly)
• Self-XSS that requires social engineering
• Issues requiring physical access to a user's device
• Reports based on outdated browsers or theoretical attacks without proof of concept
• Spam reports, missing security headers without exploitability, missing CSRF on logout

9. Incident response

In the event of a confirmed security incident affecting user data:

• We will investigate the scope and impact
• We will notify affected users within 72 hours where required by applicable law (GDPR, state breach laws)
• We will provide guidance on any actions users should take
• We will publish a post-incident summary where appropriate

10. User responsibilities

Security is a shared responsibility. We ask that you:

• Use a strong, unique password if you create an account
• Enable two-factor authentication where available
• Keep your browser and operating system updated
• Be aware that any data you choose to save or share carries its own risks
• Review network designs carefully before applying them to production

11. Contact

Security-related questions or reports: contactus@cidrcalculator.net
Subject line: "Security"