HD

HTMLDrop

Sign inDrop
← Documentation

Security

Validation, Markdown sanitization, moderation, password pages, and data handling.

Last updated May 28, 2026

This page summarizes how HTMLDrop handles security for hosted pages and account data. For the marketing overview, see /security. For legal terms, see /privacy.

Publish pipeline

Every publish — editor or API — passes through:

  1. Authentication (for permanent pages and API)
  2. Rate limiting by IP and account
  3. Format validation (HTML structure or Markdown content)
  4. Size limits on payloads
  5. Automated moderation (scanContent) for known abuse patterns
  6. Storage in PostgreSQL (Supabase)

Markdown publishes additionally run HTML sanitization after compilation.

JavaScript on hosted pages

HTMLDrop serves static HTML. Client-side JavaScript runs in the visitor's browser. We do not execute server-side code from user uploads.

This is intentional for prototypes and demos, but means:

  • Published pages can make network requests from the visitor's browser
  • You should not publish secrets in HTML or JS

Markdown sanitization

The Markdown pipeline uses sanitize-html with an allowlist of tags and attributes. Scripts, event handlers, and dangerous URLs are stripped from compiled output.

Password-protected pages

Pro users can set a password on a hosted page. Passwords are stored as hashes — not plain text. Visitors receive a signed unlock cookie after successful entry.

Abuse detection and reporting

  • Automated filters block common phishing and malware patterns at publish time
  • User reports via /report trigger manual review
  • We may remove content, suspend accounts, or escalate illegal material without notice

See Acceptable use for policy details.

Data storage

  • Page content — PostgreSQL (Supabase)
  • Hosting & delivery — Vercel
  • Authentication — Supabase Auth

Anonymous pages expire after 24 hours and are deleted. See /privacy for retention and subprocessors.

Operational status

Live health checks are published at /status. We do not currently offer a contractual SLA during early access.

Security contact

For vendor security reviews or responsible disclosure, contact security@htmldrop.in or visit /contact.