Security

Encryption

Secret content is XOR-obfuscated with the public token as a key before being written to the database. The raw plaintext is never stored at rest. Even with direct database access, the content cannot be read without the corresponding token.

One-time access

Each public link is cryptographically unique and can only be used once when "Burn after reading" is enabled. The moment the secret is revealed, the stored content is deleted and the token is permanently invalidated. There is no way to recover the content after destruction.

Zero third-party requests

YourSiteName makes no outbound requests to third parties at runtime. Fonts, scripts, and map assets are all self-hosted. There are no CDN calls, no analytics beacons, and no external tracking of any kind.

Strict Content Security Policy

Every response includes a strict CSP header: script-src 'self', style-src 'self', default-src 'none'. This prevents cross-site scripting, data injection, and unauthorized resource loading at the browser level.

Security headers

All responses include a full suite of security headers via Helmet.js: X-Frame-Options, X-Content-Type-Options, Strict-Transport-Security, Referrer-Policy: no-referrer, Cross-Origin Embedder Policy, and Cross-Origin Opener Policy. The X-Powered-By header is suppressed.

Rate limiting

Link creation and secret reveal endpoints are rate-limited per IP to prevent abuse and enumeration attacks. Limits are configurable via environment variables.

No user accounts or global admin

There are no user accounts, no login system, and no global admin panel. Access to each secret's control panel is gated solely by possession of the private Control Link — a 256-bit random token. If you lose the Control Link, there is no recovery mechanism and no way to access the panel again.

Self-hosted by design

YourSiteName is a self-hosted application. Your secrets are stored on infrastructure you control, not on a shared cloud service. There is no central server with access to your data.

Automatic data deletion

Access logs are automatically purged after a configurable retention window (default: 30 days). Expired secrets and their associated logs are deleted on a scheduled cleanup cycle. No data persists indefinitely.

Geolocation

IP geolocation is performed using a bundled offline database — no IP addresses are sent to external services. Geolocation data is approximate and should not be used for precise attribution.