Security

How we handle your text,
and everything around it.

Infrastructure, data handling, headers, abuse prevention, and disclosure — in plain English.

TL;DR: humanise.ai runs on Cloudflare Workers. No databases. No origin servers. User text is processed in-memory and discarded. Modern security headers throughout. securityheaders.com rates us A+.

What we run

humanise.ai runs on Cloudflare Workers. The entire site — pages, partials, and the /api/humanise endpoint — ships as a single Worker deployed to Cloudflare's global edge. There are no origin servers, no long-lived compute, and no attached databases.

  • No origin to breach. There is no box to ssh into.
  • TLS everywhere. HTTPS is terminated at Cloudflare's edge with modern cipher suites; we redirect every HTTP request to HTTPS at the 301 level and set HSTS with max-age=31536000; includeSubDomains; preload.
  • DDoS absorption. Cloudflare's network absorbs volumetric attacks; we focus on application-layer abuse (see Abuse prevention below).
  • Transport and storage separation. User text is processed in-memory inside the Worker isolate and discarded at response end. Nothing is persisted to disk, KV, R2, D1, or any third-party store.

How we handle your text

Submissions are not stored. When you paste text into the humaniser, it travels over TLS to a Worker, gets humanised by the upstream model, and comes back to your browser. The Worker isolate is destroyed at response end. We don't log the submission, don't keep a copy, and don't write it to any attached storage.

We log anonymised request metadata for debugging and abuse prevention: rough character count (bucketed), HTTP status, latency, Cloudflare-derived IP country (not IP), and a request ID. This metadata is kept 30 days and destroyed automatically. We do not log text content, headers that could identify you, or cookies.

We don't train models on your text. Neither do the model providers we route through — their API contracts explicitly exclude API-submitted content from training. See AI policy for the full data-flow.

Transport security

We enforce a modern header set on every response:

  • Content-Security-Policy — strict, no inline scripts outside our allow-list.
  • Strict-Transport-Security: max-age=31536000; includeSubDomains; preload
  • X-Content-Type-Options: nosniff
  • Referrer-Policy: strict-origin-when-cross-origin
  • Permissions-Policy: camera=(), microphone=(), geolocation=(), payment=()
  • X-Frame-Options: SAMEORIGIN

securityheaders.com rates humaniseai.ai A+. We re-verify on every significant release.

Abuse prevention

The humaniser is free and unlimited at the intended-use level, but the internet exists. We use:

  • Cloudflare Turnstile on the humaniser form when automated patterns are detected.
  • Rate limiting per IP on /api/humanise. Limits are generous for human users and very tight for automation.
  • Request abort on client disconnect. Long rewrites cancel immediately if you close the tab.
  • Suspicious-pattern detection on input text (extreme-length payloads, known abuse signatures).

None of this requires an account from legitimate users. You'll meet the challenge page only if your request pattern looks automated.

Vulnerability reporting

We welcome responsible disclosure. If you believe you've found a security issue:

  • Email security@humaniseai.ai.
  • Expected response: within 2 working days (UK business hours).
  • Scope: anything under humaniseai.ai and *.humaniseai.ai. Out of scope: automated scanner reports without a working PoC, self-XSS, missing headers on non-production subdomains, and clickjacking on pages without sensitive state.
  • Safe harbour: we will not pursue legal action against good-faith researchers who follow the guidance in /.well-known/security.txt.

We don't currently run a paid bug bounty, but we'll credit researchers who want credit, and we send thank-you gifts for meaningful findings.

Compliance

  • GDPR / UK GDPR. We process minimal personal data (anonymised request metadata only). Data subject rights (access, erasure, portability) are honoured; see Privacy for the request process.
  • CCPA. Californian users have equivalent rights; same request process.
  • SOC 2. Not currently certified — we're a small team without enterprise customers, so the overhead would be disproportionate. Write to security@humaniseai.ai if you need a specific attestation.
  • Children. humaniseai.ai is not directed at children under 13 (under 16 in the UK). We do not knowingly process their data.

Incident history

We keep this page up to date. As of 2026-04-20, we have had no publicly disclosed security incidents. If that changes, we will publish a post-mortem within 30 days and notify affected users directly where possible.

Last reviewed: 2026-04-20 · Next scheduled review: 2026-10-20.

Keep reading
AI policy
How we use AI, what happens to your text, and our position on AI detection.
Privacy
Data subject rights, retention, and the legal basis for processing.
security.txt
Machine-readable vulnerability disclosure policy.