Security & Privacy

Why Security Scanners Flag This Site

Some automated security scanners may flag ReaderWrangler as suspicious. Here's why these are false positives:

Privacy & Data Security

• No Account Required: No sign-up, no login, no personal information collected.
• Your Library Stays in Your Browser: All book data (titles, covers, folders, tags) is stored in your browser's local storage. It is not uploaded to any cloud service.
• Encrypted Data Transfer: When syncing between the bookmarklet and the app, your library data is encrypted end-to-end (AES-256-GCM) before it leaves your browser. The relay server stores and returns encrypted data it cannot read. Your encryption keys never leave your devices.
• No Cloud Storage: The relay is a temporary pass-through, not a permanent store. Synced data expires automatically (10 days for library imports, 90 days for device state).
• Privacy-Focused Analytics: We use GoatCounter for basic traffic statistics (page views, referrers) and anonymous usage events (e.g., how often imports and backups occur) to improve the site. GoatCounter uses no cookies, collects no personal data, and does no cross-site tracking. Your book library data is never included in analytics.
• Open Source: All code is visible on GitHub. Security rests on encryption, not obscurity.

How the Bookmarklet Works

The bookmarklet is a small piece of JavaScript that runs on Amazon.com pages. Here's exactly what it does:

1. Shows a navigation dialog with options
2. When you click "Refresh Library Data", it loads the fetcher script
3. The script reads your book data from the Amazon page you're viewing
4. Your data is encrypted in the browser using your personal encryption keys
5. The encrypted data is uploaded to a temporary relay (Cloudflare Worker)
6. The ReaderWrangler app downloads and decrypts it using the same keys

The relay server only ever sees encrypted data. Your encryption keys are generated on your device and never sent to the server.

Verify the Code Yourself

All source code is available for inspection:

• bookmarklet-nav-hub.js — Navigation dialog
• amazon-library-fetcher.js — Library data fetcher
• amazon-collections-fetcher.js — Collections fetcher
• amazon-wishlist-fetcher.js — Wishlist fetcher
• series-page-fetcher.js — Series page fetcher
• author-bibliography-fetcher.js — Author bibliography fetcher
• relay-crypto.js — Encryption module (AES-256-GCM)
• relay-client.js — Relay communication
• readerwrangler.js — Main application

For a comprehensive technical security review, see our Security Model documentation.

Run It Locally

Don't want to use our hosted version? ReaderWrangler is open source under the MIT License with Commons Clause. Download the source from GitHub (Code → Download ZIP), unzip, and open readerwrangler.html in your browser. No installation required.

The app runs entirely from your machine. The only external dependency is the relay for syncing data between the bookmarklet and the app — self-hosted users still use our Cloudflare relay for this, or can deploy their own using the source in the relay/ directory.