udriveudrive

Resources

Security

udrive's security posture: how identity, access control, storage, transport, and abuse handling are designed to fail closed and never leak what they shouldn't.

Identity & sessions

  • Authentication is SIWS: a wallet signs a domain-bound message. No passwords are stored and no private key ever leaves the wallet.
  • Login nonces are single-use, expire in 5 minutes, and are consumed atomically — replay is blocked even inside the window.
  • Public keys are validated as 32-byte ed25519 and signatures as 64 bytes before any verification runs; malformed input is rejected outright.
  • Sessions are signed JWTs in an httpOnly, SameSite=Lax cookie (secure in production), unreadable by JavaScript.

Access control

  • File ids are unguessable nanoids. There is no public “list all files” endpoint and no enumeration.
  • Private files require an owner session or a valid share token (and password, if set). Access is checked on every download.
  • Quarantined and deleted files return 404 — their existence is not disclosed.
  • Mutating routes enforce same-origin (Origin/Referer) as CSRF defense, in addition to the session cookie.

Storage & encryption

  • The storage bucket is private; objects are reachable only through short-lived presigned URLs (PUT ≤ 120s, GET ≤ 300s).
  • Object keys derive from a random id, so uploads can't be guessed, overwritten, or traversed via crafted filenames.
  • Private files default to server encryption (AES-256-GCM at rest). With e2e, the server stores ciphertext only and cannot decrypt — see encryption modes.

Warning

End-to-end encrypted files derive their key from a wallet signature. If that wallet is lost, the data is unrecoverable by anyone — including udrive.

Serving & transport

  • Downloads are served as Content-Disposition: attachment with X-Content-Type-Options: nosniff. User HTML/SVG is never served inline from the app origin.
  • Inline preview is restricted to safe media: images, video, audio, PDF, and text, rendered in sandboxed components.
  • Security headers and a content security policy are applied across the app. The server never fetches user-supplied URLs (no SSRF) and never leaks stack traces to clients.

Abuse & rate limiting

  • Sensitive endpoints — auth, upload, download, reporting — are rate-limited with a Redis sliding window, per IP and per user. Limits fail closed if the limiter is unreachable.
  • Anonymous uploads have a per-IP daily quota in addition to the 100 MB per-file cap.
  • The report endpoint auto-quarantines a file once reports cross a threshold; quarantined files serve a 404.

Privacy

  • IP addresses are only ever stored as a salted hash, never in the clear — used for rate limiting and abuse handling.
  • API responses are shaped through DTOs that exclude server-only fields: storage keys, IP hashes, raw signatures, and key material never reach a client.
  • API keys are stored as hashes; only an 8-character prefix is retained for display.

Responsible disclosure

Found a vulnerability? Please report it privately before any public disclosure so it can be fixed and users protected. Include reproduction steps and impact. We appreciate good-faith research and will not pursue action against researchers acting responsibly.