Security
Our security model in one sentence: there's nothing on a server to attack.
Architecture
Abundera QR is a static single-page application served from Cloudflare Pages. There is no application server, no database, no user accounts, no authentication, no API endpoints, and no backend code path that processes user data. Every QR generation, encoding, scanning, and rendering operation runs entirely inside your browser.
Threat model
Because we collect, store, and transmit no user data, the most common web-app threats — credential theft, database breach, session hijacking, server-side injection — do not apply. The remaining attack surface is the static asset bundle (HTML, CSS, JavaScript) served from our origin.
Hardening
We deliver a strict Content-Security-Policy header limiting scripts, styles, and connections to the same origin. HSTS, X-Frame-Options, X-Content-Type-Options, and Referrer-Policy headers are all set. The service worker only caches same-origin assets. The QR scanner camera capture is processed in a Web Worker context and never serialized to disk. We accept no third-party scripts.
Reporting a vulnerability
If you discover a security issue affecting Abundera QR — whether in our code, our deployment, or in a dependency we ship — please report it privately to security@abundera.ai. We aim to triage within 72 hours. You can also reach us via the contact details in our /.well-known/security.txt file.
No bug bounty (yet)
We do not currently offer paid bounties, but every confirmed valid report receives credit in the changelog and our public thanks.
Contact
Security disclosures: security@abundera.ai