Security

Last updated: 2025-08-04

Overview

QRScannerPicture is designed to keep your images and links safe. Decoded URLs are not executed in the page; they only open in a separate tab with target="_blank" and rel="noopener noreferrer".

Data Flow

• Images are processed in your browser to detect QR codes.
• (soon!) We only store an image and overlay metadata if you click Save & Share.
• Stored metadata includes overlay coordinates and decoded text/URLs—no tracking pixels or scripts are injected.

Storage & Retention

Shared items (image + overlay JSON) are kept to power your shareable link. You may request removal at any time—see Data Deletion.

Link Safety

• Only http/https URLs are allowed.
• Links open in a new tab with noopener to prevent tab-nabbing.
• Non-URL text is displayed but not made clickable.

Transport Security

• All traffic is served over HTTPS.
• We recommend HSTS and modern TLS—see the header suggestions below.

Your Controls

• Request deletion of stored items.
• Do not upload sensitive images or secrets—treat shared links as public.

Operational Practices

• Dependencies are updated regularly to patch known CVEs.
• Logs are minimal (errors and request metadata) and used for reliability and abuse prevention.
• Rate limits and basic validations protect the API from abuse.

Security Headers (recommended)

Add these headers at the framework/edge level for stronger defaults:

Content-Security-Policy: default-src 'self'; img-src 'self' blob: data:; connect-src 'self'; frame-ancestors 'none';
  Referrer-Policy: strict-origin-when-cross-origin
  X-Content-Type-Options: nosniff
  X-Frame-Options: DENY
  Permissions-Policy: camera=(), microphone=(), geolocation=()
  Strict-Transport-Security: max-age=31536000; includeSubDomains; preload