imageupload.io
Security

Security controls should match the sensitivity of the link.

imageupload.io combines application controls, private storage, abuse prevention, and operational monitoring. No security system removes every risk, so the product also gives uploaders explicit controls over access and lifetime.

01

Accounts and sessions

Passwords are stored using a memory-hard password hash rather than reversible encryption. Sessions are invalidated after sensitive password changes, and account owners can enable time-based one-time-password two-factor authentication.

State-changing browser requests use same-origin and CSRF protections. Administrative routes require both a valid session and an administrator role. Password-protected image previews used for moderation stay behind this same role boundary and never expose a reusable bypass token.

02

Images and storage

User-controlled image bytes are stored outside the public static directory. Direct image requests pass through access rules for passwords, expiration, burn-after-reading, and view limits. Restricted objects are not redirected to a public storage URL.

Supported uploads are decoded and processed as images before storage. Embedded EXIF, IPTC, and XMP metadata is removed during processing, which reduces accidental disclosure of GPS coordinates, device identifiers, and capture details.

03

API and MCP keys

API keys are credentials. Keep them in environment variables or a managed secret store, never in browser code or a public repository. Keys can be rotated from the profile page if exposure is suspected.

The public examples repository demonstrates server-side key handling in cURL, Node.js, Python, and MCP configurations.

04

Report a vulnerability

Send suspected vulnerabilities to [email protected] with concise reproduction steps, affected endpoints, and observed impact. Do not include another person’s private data or test against content you do not own. Security reports should not be opened as public GitHub issues.