Security

droplet is built so that a full database compromise yields almost nothing useful to the attacker.

Encryption

• Per-share AES-256-GCM key, generated client-side via WebCrypto.
• HKDF-SHA256 expands the key into separate content and metadata subkeys.
• Argon2id (m=64 MiB, t=3) for share password gates.
• The encryption key lives in the URL fragment — never sent to our servers.

What we store

• Ciphertext blobs (R2, encrypted at rest with managed AES-256-GCM).
• Encrypted metadata blobs (filename, mime, size).
• HMAC-keyed email hashes (never the email itself).
• Argon2id token hashes (never the token itself).
• Hashed IPs (rotated daily pepper).

Defense in depth

• OAuth 2.1 + PKCE for Google sign-in.
• HttpOnly, Secure, SameSite=Lax session cookies. 15-minute JWT TTL.
• Per-user, per-IP, per-share rate limits via Durable Objects.
• Cloudflare DDoS, Bot Fight, Turnstile on signup.
• User HTML served from a separate apex with strict CSP and sandbox.
• Async abuse-scan pipeline; auto-suspend after threshold of reports.

Reports: [email protected] · Security disclosure: [email protected].