SECURITY

How we protect your data and ensure service integrity.

1. INFRASTRUCTURE SECURITY

Cloudflare Global Network:

  • Built on Cloudflare's secure infrastructure
  • DDoS protection and WAF (Web Application Firewall)
  • Edge computing for distributed security
  • 99.9% uptime SLA

2. DATA PROTECTION

Encryption:

  • In Transit: All data transmitted via HTTPS/TLS 1.3
  • At Rest: Data encrypted in Cloudflare D1 database
  • API Keys: Stored as encrypted secrets

Privacy Measures:

  • IP addresses are hashed before storage
  • No unnecessary data collection
  • GDPR compliant data handling

3. AUTHENTICATION

  • Powered by Supabase Auth (enterprise-grade)
  • OAuth 2.0 for Google sign-in
  • JWT token-based authentication
  • Secure session management
  • Password requirements: minimum 6 characters

4. ABUSE PREVENTION

Rate Limiting:

  • IP-based rate limiting to prevent spam
  • Automatic blocking of abusive IPs (6-hour blocks)
  • Different limits for guests vs. authenticated users

URL Validation:

  • Input sanitization to prevent XSS attacks
  • URL format validation
  • Malicious URL detection (planned)

5. APPLICATION SECURITY

  • CORS: Properly configured cross-origin policies
  • CSP: Content Security Policy headers
  • SQL Injection: Parameterized queries in D1
  • XSS: Input sanitization and output encoding

6. MONITORING AND INCIDENT RESPONSE

  • Real-time error tracking and logging
  • Cloudflare Analytics for traffic monitoring
  • Automated alerts for suspicious activity
  • Regular security audits

7. DATA RETENTION

  • Shortened URLs: Permanent (unless deleted by user)
  • Analytics data: Retained for service lifetime
  • Logs: 30 days retention
  • User accounts: Until deletion requested

8. THIRD-PARTY SERVICES

We use these trusted providers:

  • Cloudflare: Infrastructure, CDN, security
  • Supabase: Authentication and user management

All providers are SOC 2 Type II compliant and GDPR compliant.

9. SECURITY BEST PRACTICES

For Users:

  • Use strong, unique passwords
  • Enable two-factor authentication (coming soon)
  • Keep your account email secure
  • Log out from shared devices
  • Don't share shortened URLs containing sensitive data

10. VULNERABILITY REPORTING

If you discover a security vulnerability, please report it responsibly:

  • Email: security@short.link
  • Provide detailed information about the vulnerability
  • Allow us reasonable time to address the issue
  • Do not exploit the vulnerability

We appreciate responsible disclosure and will acknowledge reports within 48 hours.

11. COMPLIANCE

  • GDPR (General Data Protection Regulation)
  • CCPA (California Consumer Privacy Act)
  • Industry-standard security practices

12. UPDATES

This security page is regularly updated to reflect our current practices. Last updated: January 22, 2026.

13. CONTACT

For security-related questions:

Email: security@short.link