INTELREAP
Deep Dive · Canvas 7

Security & Privacy Panel

How Safe Are You Right Now?

HTTPS status, WebRTC leaks, permissions, storage access, and your live security score — scanned the moment this page loads.

Security & Privacy Panel How Safe Are You Right Now?
HTTPS Status
Secure Context
Mixed Content
WebRTC Exposure
Local IP Leak
WebRTC IP Match
Cookie Access
localStorage Access
sessionStorage Access
IndexedDB Access
Camera Permission
Microphone Permission
Location Permission
Notification Permission
Clipboard Read
Clipboard Write
Do Not Track
Third-Party Cookies
Referrer Policy
Content Security Policy
Fingerprint Surfaces
Security Flags
Security Warnings
Security Score
Parameter by Parameter

Understanding Every Signal

What each security check actually tests, and why the result matters.

Connection Security

HTTPS Status & Secure Context

HTTPS confirms your connection to this site is encrypted in transit. Secure context is a stricter browser-level check — it confirms the browser will allow sensitive APIs (camera, microphone, geolocation, WebCrypto) to run. A page can technically be served over HTTPS but still fail the secure context check in edge cases involving mixed content or unusual origins.

Mixed Content

Mixed content means an HTTPS page is loading resources (scripts, images, iframes) over HTTP. Even one HTTP resource weakens the security of an otherwise encrypted page, since that resource can be intercepted and modified in transit. Modern browsers block active mixed content (scripts and iframes) by default but may allow passive content (images) with a warning.

WebRTC Exposure

WebRTC Exposure, Local IP Leak & WebRTC IP Match

WebRTC is a browser API for peer-to-peer communication. It can reveal your real local network IP address (typically 192.168.x.x or 10.x.x.x) even when accessed over a VPN, because it communicates directly rather than through the VPN tunnel. Local IP leak confirms whether your private network address is visible. WebRTC IP match checks whether the public IP WebRTC reports matches what the rest of your connection shows — a mismatch is a VPN leak.

Storage Access

Cookie, localStorage, sessionStorage & IndexedDB Access

These four confirm whether the browser will actually write to each storage mechanism. Users in private browsing, or with aggressive privacy settings, may have some or all of these blocked. Sites that rely on any of these for session management, preferences, or offline capability will behave differently when they're unavailable — knowing which are accessible explains unexpected behavior on some sites.

Permissions

Camera, Microphone, Location & Notification Permission

These report the current permission state — granted, denied, or prompt — for each sensitive API. The states shown here don't mean IntelReap has requested these permissions; it uses the Permissions API to read whatever state was previously set by user decisions on this site or through browser-level defaults, without triggering any new prompts.

Clipboard Read & Write

Clipboard access requires explicit user permission and is gated by a prompt in most browsers. Clipboard read permission is particularly sensitive since it would allow a page to read whatever you've copied system-wide. These are checked via the Permissions API — IntelReap never actually accesses your clipboard content.

Privacy Signals

Do Not Track, Third-Party Cookies & Referrer Policy

Do Not Track is a voluntary browser signal requesting sites not track browsing behaviour — most sites ignore it, but its presence confirms the user has opted in. Third-party cookie access tells you whether cross-site cookies can be set in your browser — increasingly blocked by default. Referrer policy reports what navigation origin information this page's server declares it will share with subsequent requests.

Content Security Policy, Fingerprint Surfaces, Security Flags & Warnings

CSP presence confirms whether this page is served with a Content Security Policy header, which restricts what resources can load and helps prevent XSS attacks. Fingerprint surfaces is a count of how many browser APIs that are commonly exploited for fingerprinting are accessible on your browser. Security flags and warnings are the specific issues found during the scan that contributed to lowering your security score.

Bigger Picture

What Your Security Score Actually Reflects

It's about your browser's current configuration, not about you

A low security score doesn't mean your device is compromised or that you're under attack. It means your current browser configuration exposes more surfaces than a hardened configuration would — an open WebRTC local IP, broad permissions previously granted, or storage fully accessible. Most of these are adjustable through browser settings or privacy-focused extensions.

The most impactful single change most users can make

If only one security improvement were worth making, disabling WebRTC in browsers where it isn't needed for active use has the highest return for the effort. It eliminates the local IP leak entirely and removes the VPN bypass risk. Most desktop browsers expose a setting or extension option to do this without disabling other functionality.

Security & Privacy — Frequently Asked Questions

WebRTC communicates directly between browsers rather than through web servers, which means it can expose your real IP address even when you're connected through a VPN. A local IP leak shows your private network address; a public IP mismatch means WebRTC is revealing your real internet IP instead of the VPN's exit IP.
No. Do Not Track is a voluntary signal — sending it asks sites to respect your preference, but there is no technical enforcement and the vast majority of sites ignore it. Its main practical effect is adding a small signal to your browser's fingerprint, since the population of users who send DNT is a subset distinguishable from those who don't.
A high fingerprint surface count means more of the browser APIs commonly used to identify devices are accessible in your browser. More surfaces don't automatically mean you're more tracked — they mean more data is theoretically available to any site that chooses to collect it.
Blocking permissions improves privacy but can break legitimate functionality — video calls need camera and microphone, navigation apps need location. The most practical approach is granting permissions only when prompted by a site you actively need them for, rather than pre-granting them globally.
Methodology Sources
01W3C Permissions API specification
02W3C WebRTC specification and IP exposure research
03W3C Content Security Policy Level 3 specification