Security
Last updated: June 2026
Content-Security-Policy
Every page is served with a strict Content-Security-Policy that allows only same-origin scripts, styles, and connections. There are no third-party scripts, no external trackers, and inline script is tightly scoped to the app itself.
No server-side invoice storage
Because invoices live only in your browser, there is no server database to breach. An attacker who compromised the server could not read your invoice history — there isn't one.
Client-side PDF generation
PDFs are produced in your browser, so invoice content is never uploaded to a server to be rendered. The file you download is generated on your device.
Input sanitization
All invoice text fields are sanitized before they are rendered into the PDF, to prevent markup injection from crafted invoice data or share links.
Payments via Stripe
Card data is handled entirely by Stripe's PCI-DSS-compliant infrastructure. Billify's server only ever sees an opaque token representing your subscription — never your card.