Security

Last updatedApril 26, 2026

Security is foundational to 0.mk. When you shorten a URL through our service, you trust us to redirect your visitors safely and protect your data. Here is how we do it.

Infrastructure

Edge network

Link redirects are handled by Cloudflare Workers at the edge, running in 300+ data centers worldwide. This means sub-50ms redirects and DDoS protection built in.

Application

The dashboard and API run on Vercel's infrastructure with automatic TLS, isolated serverless functions, and zero-downtime deployments.

Database

PostgreSQL runs on a dedicated server with SSL-only connections, strong password authentication, and restricted network access. The application connects via a least-privilege database user.

Encryption

  • In transit: TLS 1.3 enforced on all connections - dashboard, API, redirects, and database
  • At rest: database storage encrypted at the volume level
  • API keys: stored as salted hashes, never in plaintext

Authentication

  • Passwordless magic link authentication - no passwords to steal or leak
  • Tokens are signed JWTs with short expiration windows
  • Session cookies use HttpOnly, Secure, and SameSite=Lax flags
  • API bearer tokens can be revoked instantly from the dashboard

Application security

  • Rate limiting: sliding-window rate limits on authentication, link creation, and abuse report endpoints
  • URL scanning: database-driven blocklist checks every URL against known malicious patterns before shortening
  • Input validation: Zod schema validation on all API inputs
  • Security headers: X-Content-Type-Options, X-Frame-Options, X-XSS-Protection, Referrer-Policy, and Permissions-Policy applied via middleware
  • CSRF protection: SameSite cookies and origin verification
  • Workspace isolation: all data queries are scoped to the authenticated user's workspace

Abuse prevention

  • Automated URL scanning against a managed blocklist
  • Public abuse reporting system at /report
  • Admin review queue for flagged links
  • Audit logging for all administrative actions
  • Ability to instantly disable any link at the edge

Audit trail

All significant actions (link creation, deletion, status changes, team changes, settings modifications) are logged with timestamp, user ID, and action details. Audit logs are retained for 1 year.

Data minimization

  • Click analytics are aggregated - we store daily rollups, not individual click events
  • Visitor IP addresses are never stored - country is derived at the edge and only the code is retained
  • We collect the minimum data necessary to provide the service

Incident response

In the event of a security incident, we will:

  • Investigate and contain the issue immediately
  • Notify affected users within 72 hours as required by GDPR
  • Publish a post-mortem with details and remediation steps
  • Report to relevant authorities as required by law

Responsible disclosure

If you discover a security vulnerability, please report it via our contact page. We ask that you:

  • Give us reasonable time to investigate and fix the issue before public disclosure
  • Avoid accessing or modifying other users' data
  • Provide sufficient detail to reproduce the vulnerability

We appreciate responsible disclosure and will acknowledge researchers who help us improve security.

Contact

For security concerns, reach out via our contact page.