How secure PDF redaction works

Redaction should make hidden text unrecoverable, not just invisible. Most online tools fail this: they draw a black box but leave the text — or its geometry — in the file.

The glyph-position leak

The 2022 paper Story Beyond the Eye (arXiv:2206.02285) tested popular PDF redactors and found most leak the redacted content. Two failure modes: the characters stay in the content stream behind the box, or — even when deleted — the surrounding glyph advance widths and positions still encode the hidden string's length and identity, allowing reconstruction.

What SecureRedact does instead

• Removes the text operators in the redacted region from the content stream.
• Reflows or strips glyph positions so the geometry can't be used to infer the hidden text.
• Rasterizes the redacted region at print resolution as a safety net.
• Strips metadata — XMP/Info, embedded JavaScript, thumbnails — and collapses incremental-update history so old revisions can't leak.
• Audits the result — an independent recovery tool tries text extraction, glyph-position inference, metadata, and prior-revision recovery; the download is blocked unless nothing is recoverable.

All in your browser

Every step runs client-side via pdf.js, pdf-lib, and a canvas renderer. Your file is never uploaded. Try it now →