orphl.ink
Get started

Security

How we handle your data and your visitors'.

No marketing fluff — a factual rundown of the controls in place today. Anything on the roadmap is called out at the bottom.

Transport

TLS 1.3 on every request, terminated at the Cloudflare edge. HSTS is enabled on all OrphLink domains so browsers refuse to downgrade.

Authentication

Passwords are hashed at rest (bcrypt-style with a per-user salt). The password cookie used by password-protected links was recently upgraded to an HMAC envelope so a leaked cookie cannot be replayed against another link. Sessions use short-lived JWT access tokens (15 min) and rotated refresh tokens (7 days), both httpOnly and Secure. API keys are SHA-256 hashed at rest; only the first eight characters (the prefix) are stored in plain text so the UI can show you which key is which.

Network safety (SSRF guard)

Every destination URL — whether it arrives via the dashboard, the API, the importer, or the moderation queue — is checked against an SSRF allow-list (isSafePublicUrl). Workspaces cannot point a short link at an internal hostname, a private RFC1918 range, link-local addresses, or the Cloudflare metadata service.

Rate limiting

Public endpoints are rate-limited per IP using the cf-connecting-ip header, which is set by Cloudflare and cannot be spoofed by the client. Counters live in KV with a sliding window. Sensitive endpoints (login, password reset, API key creation) have tighter limits.

Content moderation

Every new link's destination is fetched and classified by a Workers AI model before the redirect goes live. Links that fail moderation never resolve — visitors see a branded blocked page instead. A daily cron re-checks links older than 30 days so a destination cannot be quietly repurposed for malware after launch.

Audit log

Every workspace mutation — links created, edited, deleted; members invited or removed; API keys minted or revoked; branding changed — is recorded in an immutable audit log with before/after diffs. Retention is configurable per workspace (default 30 days on Free, 90 on Pro, 1 year on Team). Owners can export the log at any time.

GDPR consent

Workspaces can enable a plain-language consent prompt on their short links. Visitors who decline still reach the destination, but no click event is recorded — only an anonymous counter is incremented so workspace owners can see traffic shape without identifying individuals.

Hosting and region

OrphLink runs on Cloudflare Workers (compute), D1 (relational), KV (counters and cache), R2 (logo/favicon assets), and Analytics Engine (telemetry). All storage is pinned to the UK data plane.

Vulnerability disclosure

Found something? Please email security@orphl.ink (or hello@orphl.ink if that bounces) with reproduction steps, expected impact, and any tooling output. We aim to acknowledge within two business days and triage within five. Please don't run automated scanners against production — we'll happily set up a test workspace if you want to dig deeper.

Compliance

OrphLink is not yet certified for SOC 2 or ISO 27001 — both are on the roadmap. The data plane is Cloudflare (UK region). For procurement questionnaires or DPA requests, email hello@orphl.ink and we'll respond with what we have.