Heronix Browser
A district-owned, offline-first managed web browser for K-12 schools — with built-in web filtering, single sign-on, and a FERPA privacy firewall. Your district runs the server, signs its own policy, and configures its whole fleet from one signed file.
District-owned, self-hosted
A small school server runs on one Linux host your district controls — the policy store, identity provider, rostering service, and PII vault. No external database required for a pilot.
Offline-first by guarantee
Filtering, sign-in, dictionary, lessons, classroom tools, and SSO all work with no connection to any Heronix server. Every release is built to pass with the network disabled.
FERPA privacy firewall
When a site asks for student PII, the browser substitutes a token; real values stay in the district vault, reversible only by IT under audit. No outside vendor sees the real child.
What Heronix Browser does
Safe browsing, single sign-on, and offline-first reliability — built into the browser, not bolted on.
Built-in web filtering
Every navigation is checked against the district's signed policy — categories, domains, SafeSearch, downloads, and dev-tools. Blocked pages explain why, with a one-click "ask my teacher" review. Teachers can grant time-boxed, class-scoped exceptions, and IT can trigger a one-click emergency fleet lockdown.
Single sign-on & launcher
Log in once and open any Heronix product from a tile bar, already signed in. The district server is a full OAuth2/OIDC provider; products verify a short-lived, district-signed proof offline.
Works with what schools already run
Broker logins from ClassLink, Clever, Okta, Google, or Microsoft Entra, and import or serve class rosters via OneRoster 1.2 — by CSV or REST.
FERPA privacy firewall
A masked email, stand-in name, and fake-but-valid ID are substituted whenever a site asks for student PII. Real values stay in the district vault, reversible only by IT under audit.
Study tools
Academic search (Scholar), an offline dictionary, and a distraction-free reader with read-aloud and dyslexia-friendly fonts. An optional AI tutor runs on-device, local-only.
Classroom tools
A Class Screen (timer, name picker, traffic light), a live teacher console, and a noise meter — audio is measured, never recorded.
Accessibility
Text-to-speech, a reading ruler, OpenDyslexic and Lexend fonts, and high-contrast surfaces — built to WCAG 2.1 AA throughout, with an automated accessibility audit on every build.
IT control
A web admin console covers policy, filters, unblocks, devices, lockdown, SSO clients, rostering, and FERPA vendor policy with audit — and the whole fleet is configured from one signed provisioning file.
Deployment model
District-managed and self-hosted. A small Node/Fastify school server runs on one Linux host — your district's policy store, OIDC identity provider, rostering service, and PII vault. No external database is required for a pilot.
Offline-first. Filtering, sign-in, dictionary, lessons, classroom tools, and SSO all work with zero connection to any Heronix server.
Platform. Windows 10/11 desktop client, installed per user. Other operating systems are future scope.
In scope today (v1.x)
- Managed browsing & web filtering
- SSO / OAuth2-OIDC provider + IdP brokering
- OneRoster 1.2 SIS import
- FERPA PII tokenization
- Classroom, accessibility & study tools
- Signed provisioning
- Secure self-hosted update pipeline
Standards & compliance targets
Built against the standards K-12 procurement and IT teams ask about.
Under the hood
The tools and cryptography behind the browser, the server, and how it stays current.
Client
- Hardened Electron 41 shell — sandboxed preloads, context isolation, policy-checked navigation
- TypeScript 5 (strict) across client, server, and shared packages
- React 18 + Vite 8 renderer surfaces
- SQLCipher AES-256 encrypted local store, key-wrapped by the OS keystore (TPM/DPAPI)
Server & identity
- Node.js + Fastify 5 REST API with fail-closed RBAC and a web admin console
- Ed25519 signatures throughout — updates, policy, session tokens, SSO assertions, provisioning
- OAuth2/OIDC provider + broker; OneRoster 1.2 import/serve
- Session tokens rotate on refresh and are revocable; signing keys rotate on a schedule
Packaging & updates
- electron-builder → Windows NSIS installer; Authenticode signing wired and verifiable
- Custom secure updater (TUF-style two-role Ed25519 chain): verify-before-install, versioned installs, rollback, and offline/air-gapped import
- Districts publish signed updates to their own mirror — the only "phone-home," and it is the district's own
- Tested with Vitest (unit), Playwright (end-to-end), and an axe-core WCAG 2.1 AA audit
What makes it different
Trust you can verify, on infrastructure you own.
District-owned
You run the server, sign the policy, and control the keys. Heronix only ships signed security updates.
Trust is cryptographic
Everything is Ed25519-signed and verified on-device against keys you control.
Student PII stays on-device
PII is tokenized before it can leave the device — FERPA becomes a property of the software.
Offline-first is a guarantee
Every release must pass with the network disabled.
Privacy by construction
No telemetry, no ad or tracking surface, de-Googled defaults.
Configured from one file
The whole fleet is provisioned from a single signed file the district controls.
Status & readiness
Heronix Browser is v1.0.1 and pilot-ready for a supervised closed pilot — on district devices, with IT present. Tests are green, the dependency audit is clean, and zero-egress operation is verified.
Releases follow Semantic Versioning, and districts receive signed updates through their own mirror. We're working with a small number of districts in closed pilot before broader rollout.
Privacy is part of the architecture
Like the rest of the Heronix lineup, Heronix Browser keeps student data inside the district perimeter. PII is tokenized on-device before any site can see it, and the product phones home to nothing but the district's own update mirror.
Want to learn more about Heronix Browser?
We're talking with districts interested in a district-owned, offline-first browser. Reach out and we'll walk you through it.
Get in touch How we handle data