BACK
Security Architecture
Technical details on how your secrets stay secret.
Client-Side Cryptography
All encryption and decryption happens on your device using the Web Crypto API. We use AES-256-GCM, a military-grade authenticated encryption standard, ensuring both confidentiality and integrity.
Key Management
Your encryption keys are stored in the URL fragment (the part after the #). Browsers do not send fragments to the server. Even if our database is compromised, your data remains secure.
Secondary Protection (PBKDF2)
When you add a password, we use PBKDF2 with 100,000 iterations and a unique salt per paste. This protects against brute-force attacks.
Network Security
- Strong Content Security Policy (CSP) headers to prevent XSS
- HSTS for forced HTTPS
- X-Frame-Options to prevent clickjacking
- Strict rate limiting powered by Upstash Redis