Security at Secret Pusher
Last Updated: July 06, 2026
Secret Pusher is built for temporary transfer of sensitive information through expiring links, access limits, and client-side encryption where supported by the product flow.
What We Protect
- Text secrets, file secrets, file upload requests, MFA share links, and URL redirects are designed to expire.
- Links can be limited by views, downloads, time, passwords, and account access controls depending on feature and plan.
- Secrets and encrypted files are removed after expiration or successful use according to their configured policy.
Encryption Model
- Text and file flows use modern browser cryptography for client-side encryption where supported.
- Encrypted file transfers use authenticated encryption and preserve encrypted payload handling on the server.
- Password protected flows require the recipient to prove access before protected content is displayed.
Abuse Prevention
- Public creation and access routes use rate limits and validation.
- Generated links are excluded from normal search indexing signals.
- We may suspend, delete, block, or investigate links that are reported for phishing, malware, spam, illegal content, credential theft, or platform abuse.
Responsible Disclosure
Please report security issues to [email protected]. Include:
- A clear description of the issue.
- Steps to reproduce.
- Affected URL or feature.
- Your contact information for follow-up.
Do not access, modify, delete, or disclose other users' data. Do not run automated destructive testing against production.
Security Contacts
- Security reports: [email protected]
- Abuse reports: [email protected]
- General support: [email protected]
You can also find our machine-readable security contact at /.well-known/security.txt.