Security

Last updated: June 2026

Content-Security-Policy

Every page is served with a strict Content-Security-Policy that allows only same-origin scripts, styles, and connections. There are no third-party scripts, no external trackers, and inline script is tightly scoped to the app itself.

No server-side invoice storage

Because invoices live only in your browser, there is no server database to breach. An attacker who compromised the server could not read your invoice history — there isn't one.

Client-side PDF generation

PDFs are produced in your browser, so invoice content is never uploaded to a server to be rendered. The file you download is generated on your device.

Input sanitization

All invoice text fields are sanitized before they are rendered into the PDF, to prevent markup injection from crafted invoice data or share links.

Payments via Stripe

Card data is handled entirely by Stripe's PCI-DSS-compliant infrastructure. Billify's server only ever sees an opaque token representing your subscription — never your card.