Security & privacy.

Every request - upload, download, login - uses HTTPS / TLS. The tus upload protocol is HTTP-native, so the same TLS terminator that protects the rest of your site protects uploads.

Files are stored as opaque objects on disk under randomized storage keys. Filenames in the database are sanitized. Deleted files are purged from disk, not just marked.

Passwords are hashed with Argon2id (the OWASP-recommended algorithm). We never see your plaintext password. Sessions are JWTs in HTTP-only, SameSite=Lax cookies.

Download requests are logged with a SHA-256 hash of the requester IP - not the IP itself. Logs are retained for 90 days for abuse prevention, then deleted.

We don't see your wallet address. Our payment provider processes the crypto transaction; we receive the order ID, amount, and status only.

Found a security issue? Email us at legal@drop.xxx. We respond within 48 hours. Please don't disclose publicly until we've had a chance to patch.