Security
How wr.fi protects your data.
Infrastructure
| Hosting | AWS Lightsail (eu-west — Ireland) |
| DNS / CDN | Cloudflare (DNS only, grey cloud — no proxy, so AI tools are not blocked) |
| TLS | HTTPS everywhere via Caddy auto-HTTPS with Cloudflare origin certificates |
| Database | SQLite (single file, encrypted at rest via EBS) |
| File storage | Content-addressed (SHA-256 dedup), local filesystem with EBS encryption |
| Reverse proxy | Caddy with automatic HSTS, OCSP stapling |
| Application | Next.js 16 in Docker (node:20-slim) |
What we store
- Creations: title, content type, artifacts (files), metadata (provenance, generation info, tags)
- Artifacts: stored by SHA-256 content hash — automatic deduplication, no filename-based storage
- Accounts: username, bcrypt-hashed password, optional email (for notifications only)
- Sessions: random token, 30-day expiry, invalidated on password change
- Analytics: server-side event log (type, shortId, IP, user agent). No client-side tracking pixels.
What we don't store
- No tracking pixels, no ad cookies, no third-party analytics scripts
- No payment data (Stripe handles all payment processing)
- No browsing history beyond server access logs
- IP addresses in event logs — retention policy under review for GDPR compliance
Access model
| Tier | Visibility | Auth to view |
|---|---|---|
| Public | In feed, indexed | None |
| Unlisted | Not in feed, not indexed | None (URL is the secret) |
| Secure unlisted | 8-char URL, not in feed | None (URL practically unguessable) |
| Password-protected | Not in feed | Password, view key, or edit token |
Security headers
- Content-Security-Policy (CSP) on all pages
- Strict-Transport-Security (HSTS)
- X-Frame-Options: DENY
- X-Content-Type-Options: nosniff
- Permissions-Policy: restricted
- SameSite=Lax on all cookies, HttpOnly, Secure in production
- CORS:
*only on public push/read endpoints. Sensitive endpoints are same-origin only.
Rate limiting
- Anonymous pushes: 60/hour per IP
- Login attempts: 20/hour per IP
- Edit token failures: 5/shortId/hour
- ShortId reads: 60/minute per IP (enumeration protection)
- API key regeneration: 3/hour per account
Jurisdiction
wr.fi is operated by Kurikkai Oy, a Finnish company. Finnish jurisdiction means EU/GDPR by default, no FISA or CLOUD Act exposure. Data is processed in the EU (AWS eu-west).
Open source
wr.fi is open source under AGPL-3.0. Audit every line at github.com/wrfi/wrify.
Responsible disclosure
Found a vulnerability? Email security@wr.fi. We respond within 48 hours and credit responsible disclosures. See also security.txt.