Legal

Security

Last updated: June 2025 ยท QRDoc by Ashwinkumar D Basari

๐Ÿ›ก๏ธ
Security is built into QRDoc by design. This page documents every technical control in place, why it exists, and the known limitations โ€” so you can make an informed decision about using this tool.

๐Ÿ“‹ Security Controls Summary

The table below lists all security measures active in QRDoc and their current status:

ControlDescriptionStatus
Content Security Policy (CSP) Restricts resource origins; blocks framing; blocks external connections Active
Subresource Integrity (SRI) SHA-512 hash verification on the QRCode.js CDN script Active
HTTPS Enforcement JavaScript redirect to HTTPS if loaded over HTTP (non-localhost) Active
X-Frame-Options: DENY Prevents the page from being embedded in iframes (clickjacking) Active
X-Content-Type-Options: nosniff Prevents MIME-type sniffing attacks Active
Referrer Policy Set to strict-origin-when-cross-origin to limit URL leakage Active
Client-side Rate Limiting Maximum 3 QR generations per 60-second window, enforced in JavaScript Active
Input Sanitisation All URLs trimmed and capped at 2048 characters before processing Active
URL Validation Protocol check (HTTPS only), hostname allowlist, path-pattern regex per platform Active
XSS Prevention All user-supplied content rendered via textContent, never innerHTML Active
Sensitive Data Clearance URL fields wiped from memory on tab close (beforeunload) Active
Security Event Logging Key events (platform select, rate limit, QR generate) logged to browser console Console only
CSP unsafe-inline in script-src Inline scripts permitted โ€” weakens XSS protection (known limitation) Known gap

๐Ÿ” Content Security Policy

QRDoc enforces the following CSP via an HTTP-equivalent <meta> tag:

default-src 'self'; script-src 'self' 'unsafe-inline' https://cdnjs.cloudflare.com; style-src 'self' 'unsafe-inline'; img-src 'self' data: blob:; connect-src 'self'; frame-ancestors 'none'; base-uri 'self'; form-action 'self'; upgrade-insecure-requests;

Key directives and their purpose:

  • connect-src 'self' โ€” Prevents any JavaScript fetch or XMLHttpRequest to external domains. Your pasted URL cannot be sent to a remote server.
  • frame-ancestors 'none' โ€” Prohibits any page from embedding QRDoc in an iframe, preventing clickjacking.
  • img-src data: blob: โ€” Permits only in-memory image data (the generated QR canvas), not remote image loads.
  • base-uri 'self' โ€” Prevents base-tag injection attacks.
  • form-action 'self' โ€” Prevents form-based data exfiltration to external URLs.
Known limitation: script-src includes 'unsafe-inline' because the application logic is written as inline scripts. This means a Content Security Policy alone cannot prevent injected inline scripts from running. The XSS risk is mitigated by textContent-only rendering and strict URL validation, but upgrading to hash-based CSP is recommended for future versions.

โœ… Subresource Integrity (SRI)

The only external resource loaded by QRDoc โ€” the QRCode.js library from cdnjs.cloudflare.com โ€” is protected with an SRI hash. Your browser will refuse to execute the script if it has been modified in transit or on the CDN.

<script src="https://cdnjs.cloudflare.com/ajax/libs/qrcodejs/1.0.0/qrcode.min.js" integrity="sha512-CNgIRecGo7nphbeZ04Sc13ka07paqdeTu0WR1IM4kNcpmBAUSHSQX0FslNhTDadL4O5SAGapGt4FodqL8My0mA==" crossorigin="anonymous" referrerpolicy="no-referrer"></script>
If the CDN is unavailable or the file hash does not match, QRDoc will fail to load QR generation functionality rather than silently fall back to an unverified script.

๐Ÿ” URL Validation & Input Controls

Every URL submitted to QRDoc passes through a multi-layer validation pipeline before any processing occurs:

  • Sanitisation โ€” Input is trimmed and truncated to 2048 characters.
  • URL parsing โ€” Parsed via the native browser URL constructor, which normalises and rejects malformed input.
  • Protocol check โ€” Only https: URLs are accepted. HTTP, data URIs, and javascript: URIs are rejected.
  • Hostname allowlist โ€” Only the exact hostnames for Google Drive, Dropbox, and OneDrive are accepted for each platform.
  • Path pattern check โ€” A regular expression validates the URL path matches the expected share-link format for the selected platform.

โฑ๏ธ Rate Limiting

To prevent automated abuse, QRDoc enforces a client-side rate limit of 3 QR code generations per 60-second window. If the limit is exceeded, the generate button is disabled and a warning is shown.

Rate limit state is stored in a JavaScript Map in browser memory and is reset when the tab is closed or the page is refreshed. It does not persist across sessions.

๐Ÿ“ฃ Responsible Disclosure

If you discover a security vulnerability in QRDoc, please report it responsibly before public disclosure. We take all reports seriously and will respond promptly.

๐Ÿ”’ Report a Vulnerability

Contact Ashwinkumar D Basari directly via LinkedIn or the contact details on the About page. Please include a description of the vulnerability, steps to reproduce it, and the potential impact. We will acknowledge your report within 72 hours and aim to release a fix within 14 days for critical issues.

โ† Return to QRDoc