Skip to main content
CourseKit

Security

Last updated: April 2026

Current posture

CourseKit is a public no-account web app. The safest path for a tool like this is to keep as much processing in the browser as possible, avoid persistent user accounts, and minimize what reaches the server.

Browser-first by design

  • Alt-Scan runs in the browser for DOCX, PPTX, and tagged-PDF checks.
  • Course Analyzer runs in the browser for IMSCC course exports.
  • Question Bank Formatter still uses temporary server processing for uploaded files that need DOCX or PDF extraction.

Data handling

  • No account is required to use CourseKit.
  • Uploaded file contents are not stored after processing.
  • No third-party analytics or tracking scripts are loaded by the app.

More detail is available on the privacy page.

Security controls

  • HTTPS with HSTS
  • Frame embedding blocked
  • MIME sniffing disabled
  • Referrer policy enabled
  • Content Security Policy and browser permissions hardening
  • Browser-first processing for the highest-risk file analysis flows

Responsible disclosure

If you believe you found a security issue, email victor@coursekit.tools. A machine-readable disclosure contact is also available at /.well-known/security.txt.

Limits

CourseKit is a practical workflow tool, not a formal compliance certification platform. Institutional reviewers should still validate their own handling of FERPA-covered or otherwise sensitive materials before wider adoption.