Even the website
respects the rules.
A privacy product can't ship a marketing site stuffed with trackers. This site is static, carries no analytics or advertising cookies, and locks down a strict Content-Security-Policy with hardened HTTP headers.
Static, and locked down.
There's no application server rendering pages and no third-party script running in your browser. The hardening is enforced at the edge with HTTP response headers — here's what's actually set.
No trackers, no cookies
The site ships no analytics SDKs and no advertising cookies — fitting, given where Searxly stands on surveillance advertising. Nothing here profiles you.
Strict CSP
A Content-Security-Policy restricts scripts and styles to the site's own origin, forbids plugins and framing, and upgrades any insecure request — shrinking the attack surface for injection.
No clickjacking
frame-ancestors 'none' and X-Frame-Options: DENY mean the site can't be embedded in an iframe to trick you into clicking something you didn't mean to.
MIME & referrer hardening
X-Content-Type-Options: nosniff stops content-type confusion, and a strict referrer policy keeps your navigation from leaking across origins.
Powerful features off
A Permissions-Policy disables camera, microphone, geolocation, USB, payment and ad-topics APIs — the site never asks, so they can't be abused.
Origin isolation
Cross-Origin-Opener-Policy: same-origin isolates the browsing context from other origins, closing a class of cross-window attacks.
Nothing hidden.
default-src 'self'; object-src 'none'; script-src 'self'; frame-ancestors 'none'; upgrade-insecure-requests (connect limited to the site + the Base RPC)DENYnosniffstrict-origin-when-cross-origincamera=(), microphone=(), geolocation=(), payment=(), usb=(), browsing-topics=()same-originThe site respects you too.
No trackers, a strict CSP, hardened headers. The app goes much further, and it's free to download.