Security

How we protect your data

Data in transit

File content is stored on Cloudflare R2, an S3-compatible object storage service with 99.999999999% (11 nines) durability.
All data is encrypted at rest using AES-256 encryption, provided automatically by Cloudflare R2.
There is no direct public access to R2 — all file reads proxy through the API, so rate limiting and expiry checks apply to every access.

Every file is protected by an opaque 32-character alphanumeric token.
Anonymous tokens use an anon_ prefix; authenticated tokens are linked to your GitHub account.
Token possession is the write credential — anyone with the token can read, write, and delete. If a request is made while signed in as a different account than the file owner, writes and deletes are rejected.
No plaintext passwords are ever stored. Authentication is GitHub OAuth only, handled via Auth.js with encrypted server-side session tokens.

Every endpoint is rate limited per file per IP using a sliding window algorithm backed by Upstash Redis.
Exceeding a limit returns 429 Too Many Requests with a Retry-After header indicating when the window resets.

Every response includes the following headers:

The x-powered-by header is suppressed on all responses.

All tokens are validated against a strict alphanumeric pattern before any database or storage operations are performed.
Request bodies are validated for correct Content-Type and valid JSON structure.
SQL injection attempts are blocked at the token validation layer — malformed tokens are rejected before reaching the database.
File content must be a JSON object at the root level — arrays and primitives are rejected with a 400 error.

Found a security issue? Please email us at support@onejsonfile.com. We take all reports seriously and will respond promptly.

Please do not publicly disclose vulnerabilities before giving us a reasonable opportunity to address them.