Client-side encryption
Locked drops are encrypted in the browser with AES-256 via StatiCrypt before upload. The password never leaves the client, and the server stores only ciphertext. Decryption happens in the recipient's browser.
Edge hardening
The edge proxy sets a strict Content-Security-Policy, X-Content-Type-Options: nosniff, and X-Robots-Tag: noindex on every drop — so a leaked URL never gets indexed by search engines.
You own everything
Content lives in your Vercel Blob, served from your domain, with code you can audit (MIT). No third party can read, index, or hold your artifacts.
Honest limits
Locked HTML ciphertext is downloadable, so use long passwords for sensitive material — it's strong against casual access, not a vault. Raw files (without --page) are protected only by an unguessable slug.
FAQ
Is it zero-knowledge?
Locked drops are AES-256 encrypted in the browser via StatiCrypt before upload. The server stores only ciphertext — never your content or password.
Can search engines index my drops?
No — every drop is served with X-Robots-Tag: noindex, so leaked URLs stay out of search results. Only your marketing pages are indexable.
Is it really open-source and self-hosted?
Yes — MIT licensed, and it runs on your own Vercel Blob + domain. No third party ever holds your content (it's encrypted client-side) or controls your URL.