Security

Security Architecture

QRDoc is designed with a security-first philosophy. The following controls are implemented:

• HTTPS enforcement: The application redirects any HTTP access to HTTPS automatically.
• Content Security Policy (CSP): A strict CSP header blocks execution of unauthorised scripts, styles, frames, and external connections.
• Subresource Integrity (SRI): The QRCode.js library is loaded with a verified cryptographic hash to prevent CDN-based supply-chain attacks.
• X-Frame-Options: DENY: Prevents QRDoc from being embedded in iframes, mitigating clickjacking.
• X-Content-Type-Options: nosniff: Prevents MIME-type sniffing attacks.
• X-XSS-Protection: Legacy XSS filter enabled for older browsers.
• Strict referrer policy: Limits referrer information sent to third parties.
• Client-side rate limiting: Limits QR generation to 3 per 60 seconds to prevent automated misuse.
• Input sanitisation: All URL inputs are sanitised and validated against platform-specific patterns before processing.
• No external API calls: QRDoc makes no outbound network requests beyond loading the CDN library.
• Sensitive data clearing: Application state containing URLs is cleared on page unload.

Responsible Disclosure

If you discover a security vulnerability in QRDoc, please report it privately via our Contact page. Do not open public issues for security findings. We commit to acknowledging reports within 5 business days and resolving confirmed vulnerabilities promptly.

Scope

The security controls above apply to the QRDoc interface. We are not responsible for the security posture of third-party cloud platforms (Google Drive, Dropbox, OneDrive) or the GitHub Pages hosting infrastructure.