briefroom

Sign up or Sign in

or

We'll create an account for you if you don't have one yet.

Security

briefroom security — protecting your HTML and your viewers

Serving-domain isolation + 3-layer HTML inspection + auth controls + privacy protection. Everything we do to make AI-generated HTML safe to share, in one place.

Four safety guarantees

A foundation you can rely on, from personal drafts to client work, when sharing AI-generated HTML.

  • Physical serving-domain isolation

    User HTML is served from a dedicated user-content.briefroom.net host, separate from the main domain. Even if a malicious HTML is executed, it can't touch credentials on the main side.

  • 3-layer HTML inspection

    An extension allowlist, magic-byte validation, and malware scanning detect and block dangerous HTML at upload time.

  • Flexible access controls

    Share URLs are tokenized so they can't be discovered via search. Combine password protection, email-invite access, and expiration presets (24h / 7 days; Pro and above also unlock 30 days / 90 days / no expiration) to precisely control who sees your content.

  • Privacy protection

    Personal data is SHA-256 hashed and logged for audit. We comply with Article 28 of Japan's APPI on cross-border transfer consent and honor immediate-deletion requests.

Security design in detail

A ground-up view of each control at the implementation level. Minimal jargon; concrete on how each mechanism actually works.

Physical serving-domain isolation

Share URLs and content URLs run on different origins. Thanks to the browser's Same-Origin Policy, served HTML cannot read cookies or credentials from the main side.

  • Share URLs on briefroom.net, content URLs on user-content.briefroom.net — separated at the origin level
  • Served HTML is loaded in an iframe so Same-Origin Policy applies
  • Public Suffix List registration filed. Cookies cannot be shared across share links by construction
  • The rule "never serve user HTML from the main domain" is codified as an absolute design invariant

3-layer HTML inspection

Uploaded HTML passes through three inspection layers before publication. If any layer detects a threat, we either surface a warning or halt publication automatically.

Layer 1: File-format validation

  • Only extensions on the allowlist (.html / .css / .js / .svg / .png / .jpg / .gif / .woff(2) / .ttf / .otf / .json / .txt / .md, etc.) are accepted
  • Magic-byte validation catches extension spoofing (e.g. an executable renamed to .png)
  • SVG files are sanitized by stripping script tags and onclick-family event attributes
  • Path traversal inside ZIP archives (Zip Slip) is detected and rejected

Layer 2: Malware scanning

  • External malware scanning (VirusTotal API) checks both the HTML itself and referenced URLs
  • Clean = published immediately / Flagged (1–2 detections) = warning banner + kept online / Quarantined (3+ detections) = taken down + deleted
  • EICAR test files continuously verify the detection pipeline end-to-end

Layer 3: Periodic re-scan

  • Vercel Cron re-scans every 5 minutes to catch HTML that becomes newly flagged after upload
  • Every verdict change is recorded in audit_logs

Flexible access controls

Choose from three visibility modes per share link based on the use case. Expirations and revocations are reflected on the serving side immediately.

  • Unlisted mode (default): visible only to those who have the URL
  • Password-protected mode (Pro / Team): hashed password + HttpOnly cookie for authentication
  • Email-invite mode (Pro / Team): Magic Link login; non-invited access returns 401
  • Expiration presets (24h / 7 days / 30 days) plus an immediate revoke API
  • Revoked links return 410 Gone; CDN caches are purged via hourly cron

Authentication system

Two login paths: Magic Link and Google OAuth. CLI usage is handled safely via per-token credentials.

  • Built on Supabase Auth (Magic Link + Google OAuth)
  • Personal Access Tokens for the CLI: issue / revoke / expire; stored encrypted in the OS keychain
  • All auth cookies are HttpOnly + Secure + SameSite=Lax
  • Secrets are marked Sensitive in Vercel; Worker-side secrets are managed in a separately isolated scope
  • Cloudflare Turnstile bot detection on guest deploy, invitee login, password attempts, and comment submissions

Privacy protection

We start from "don't collect what we don't need" and anonymize the minimum we do keep. We also handle deletion requests for HTML you accidentally published.

  • IP addresses are SHA-256 hashed before storage
  • Emails live only in the users table and audit-log metadata — never in logs or Sentry
  • Raw share URL tokens are never stored; only their SHA-256 hash is kept
  • Cross-border transfer destinations (Cloudflare / Supabase / Resend / Stripe, etc.) are explicitly disclosed for APPI Article 28 consent
  • Instant deletion requests from the dashboard purge R2 + DB + CDN caches together
  • For HTML accidentally submitted to VirusTotal, we walk you through the withdrawal process

Monitoring & incident response

Service health and security events are monitored continuously. We commit to a first response within 24 hours.

  • Sentry captures errors and exceptions in real time
  • Better Stack Monitor watches 4 endpoints at a 5-minute interval
  • Vercel Analytics tracks request volume, latency, and regional distribution
  • Abuse report form (Turnstile + rate limiting + email notification)
  • Vulnerability contact is published at /.well-known/security.txt
  • Deletion requests are actioned within 24 hours; deletion history is retained in audit logs

Compliance

We maintain the legal framework required to run a domestic SaaS.

  • Terms of Service + Privacy Policy
  • Notice under the Act on Specified Commercial Transactions (with our qualified-invoice registration number)
  • Registered as a qualified invoice-issuing business
  • Cyber insurance is under consideration

Frequently asked questions

What if the HTML contains malicious JavaScript?
Our 3-layer inspection (extension allowlist + magic-byte validation + malware scanning) blocks the vast majority of cases at upload time. Even if something slips through, the serving domain is physically isolated from the main domain, so credentials and cookies cannot be stolen.
What should I do if my account is compromised?
Re-issue your Magic Link and revoke all Personal Access Tokens (PATs) to invalidate existing sessions immediately. Contact us via the support form if you need emergency assistance.
How will you contact users during a service outage?
Better Stack Monitor watches service health continuously. Our incident-notification channels (official account / status page) are Coming soon.
Where is my data stored?
Metadata is stored in Supabase (Tokyo region); HTML bodies are stored in Cloudflare R2 (US region). See the Privacy Policy for details.
Where do I report a vulnerability?
Use the contact form and select the "Security / vulnerability disclosure" category. Responsible Disclosure is welcome. The same contact is also published at /.well-known/security.txt.

A safe way in

Take a look at how we've designed things, then give briefroom a try with confidence. Concerns and abuse reports are welcome at any time.

Contact us about security