Most 'instant hosting' tools make a public URL immediately. For client work and AI output, that's the wrong default. Private-by-default means unguessable slugs plus optional password, so a link only works for who you intend.
How drop does it
Every drop gets an unguessable slug, an optional client-side AES-256 password gate, and an X-Robots-Tag: noindex so it never gets indexed. Public is opt-in (--no-lock), not the default.
FAQ
Is it zero-knowledge?
Locked drops are AES-256 encrypted in the browser via StatiCrypt before upload. The server stores only ciphertext — never your content or password.
Is it really open-source and self-hosted?
Yes — MIT licensed, and it runs on your own Vercel Blob + domain. No third party ever holds your content (it's encrypted client-side) or controls your URL.