At a glance

  • Private collections are encrypted on your device before anything leaves it.
  • We never store raw session tokens, IP addresses, or user-agent strings.
  • All traffic is served over TLS with HSTS preload enforced.
  • To report a vulnerability: [email protected]
← Bookmark Minder

Security

Last updated: 2026-05-23

End-to-end encryption

When you mark a collection as Private, your bookmark titles, URLs, notes, and tags are encrypted on your device before they leave it. The encryption key is derived from your master passphrase using PBKDF2 and HKDF; the passphrase itself is never transmitted to our servers. We store only ciphertext. We cannot read your Private collections, and we cannot hand their contents to a third party or a government agency.

Shared Private items use a fragment-key scheme: the decryption key travels in the URL fragment, which browsers do not send to the server. The recipient's browser decrypts locally.

Sessions

Session tokens are stored in our database as SHA-256 hashes — not the raw token — so a database compromise does not yield usable bearer tokens. Each session is bound to the IP /24 range and a hashed user-agent recorded at sign-in; a mismatch automatically revokes it. You can view and revoke every active session from Settings → Security.

Logging and IP addresses

We log authentication events, quota checks, and errors so we can debug problems and detect abuse. IP addresses are never stored raw: before writing to the database, we truncate each address to its /24 subnet and then apply an HMAC-SHA-256 hash keyed to a secret that rotates. The result is a one-way fingerprint we can use to correlate events during an incident. User-agent strings are hashed the same way. Logs are retained for 90 days.

Transport security

All traffic is served over TLS. The app domain is on the HSTS preload list, which means browsers hard-code HTTPS for the domain and refuse to connect over plain HTTP — no first-visit exception. TLS configuration is independently verified by Qualys SSL Labs.

Security headers

Every response includes a strict set of HTTP security headers: Content Security Policy, HTTP Strict Transport Security, X-Frame-Options, X-Content-Type-Options, Cross-Origin-Embedder-Policy, Cross-Origin-Opener-Policy, Cross-Origin-Resource-Policy, Permissions-Policy, and Referrer-Policy. Header configuration is independently checked by Mozilla Observatory.

Edge protection

The application runs behind Cloudflare. Cloudflare's WAF, Bot Fight Mode, and rate-limiting rules are active at the edge. Authentication endpoints enforce rate limits both at the edge and in the application layer.

Cookies

We set one session cookie when you sign in. It is marked HttpOnly, Secure, and SameSite=Lax. We do not set tracking or advertising cookies of any kind.

Reporting a vulnerability

If you discover a security issue, please email [email protected]. Include a description of the issue, the steps to reproduce it, and the potential impact. We will acknowledge your report within 3 business days and aim to resolve confirmed vulnerabilities within 30 days.

We do not have a paid bug bounty program, but we take every disclosure seriously, will keep you informed as we work on a fix, and will credit you in the changelog if you would like.

Please do not publicly disclose the issue until we have had a chance to address it. We commit to the same in return: we will not take legal action against researchers who act in good faith.