ManaTuner is a 100% client-side application. There is no backend, no database, no server-side processing, and no user authentication. All calculations happen in your browser.
| Aspect | Status |
|---|---|
| Backend | None - 100% client-side |
| Database | None - localStorage only |
| Authentication | None - no accounts |
| Data transmission | None - decklists never leave your browser |
| External API | Scryfall (read-only, public card data) |
If you discover a security vulnerability:
- DO NOT create a public GitHub issue
- Use GitHub Security Advisories (preferred)
- Or email the maintainer directly via GitHub profile
- Acknowledgment: Within 48 hours
- Assessment: Within 7 days
- Fix: Depends on severity
Strict CSP headers configured in vercel.json:
default-src 'self';
script-src 'self';
style-src 'self' 'unsafe-inline' https://fonts.googleapis.com https://cdn.jsdelivr.net;
img-src 'self' data: https://cards.scryfall.io https://c1.scryfall.com;
connect-src 'self' https://api.scryfall.com https://*.ingest.sentry.io;
frame-ancestors 'none';
X-Frame-Options: DENY- Prevents clickjackingX-Content-Type-Options: nosniff- Prevents MIME sniffingStrict-Transport-Security- HTTPS enforced with preloadReferrer-Policy: strict-origin-when-cross-originPermissions-Policy: camera=(), microphone=(), geolocation=()
- All deck data stored in browser
localStorageas JSON (no server transmission) - No cookies, no tracking, no analytics
- Export/import feature for data portability
- One-click data deletion
- Regular
npm auditchecks - Dependabot enabled for automated security updates
- Minimal dependency footprint
- Never commit secrets or API keys
- All PRs reviewed before merge
- Use
npm auditbefore submitting changes - Follow CSP restrictions when adding external resources
Last Updated: April 2026 Version: 2.2.0