Security
Pagepost turns HTML and Markdown files into shareable links. People forward those links into Slack channels, Notion pages, and email threads — often with executives, clients, or sensitive context in the room. This page describes, concretely, what we do to protect that content and the people who view it. It is not a marketing page; if something is not listed here, assume we have not built it yet.
Encryption at rest
File contents are encrypted with AES-256-GCM before they ever reach our storage backend (Vercel Blob). The encryption key lives in our server environment and is never sent to the client. Decryption only happens at request time, on the server, when an authorised viewer fetches the file.
Slack bot tokens — the credentials our Slack app holds for workspaces that have installed it — are encrypted at rest with the same algorithm and the same key.
All traffic to and from Pagepost is served over HTTPS.
Sandboxing of uploaded HTML
Pagepost intentionally serves uploaded HTML without stripping scripts — interactive dashboards are the value the product delivers. Instead of sanitising the content, we contain it. Every uploaded file is rendered inside two overlapping sandboxes:
- A sandboxed
<iframe>on the viewer page, which isolates the uploaded HTML from the Pagepost origin — uploaded code cannot read your Pagepost session cookie, your account, or any other link. - A
Content-Security-Policy: sandboxresponse header on the raw file URL itself, so the same isolation applies even if someone fetches the raw file directly without going through the viewer page.
On top of the sandbox, the CSP also enforces:
- No outbound network requests from inside uploaded HTML.
connect-src 'none'blocksfetch,XMLHttpRequest,WebSocket, andnavigator.sendBeacon. Uploaded scripts cannot phone home, exfiltrate data, or contact tracking servers. - No form submissions to external destinations.
form-action 'none'prevents uploaded HTML from posting form data to an attacker-controlled URL. - No navigation away from the sandbox. The sandbox attribute prevents top-level navigation, popups, and downloads initiated from inside the iframe.
The result: uploaded HTML can render rich, interactive UI using inline JavaScript and CDN-loaded libraries (Tailwind, Chart.js, fonts), but it cannot reach out to the network or otherwise affect anything outside its own iframe.
Markdown is sanitised; HTML is not
Markdown uploads are rendered through a strict allowlist of HTML tags and attributes — scripts and inline event handlers are stripped before the file is shown. That matches what most Markdown users expect: text and formatting, not arbitrary code.
HTML uploads are served as-is. This is a deliberate design choice — the product is built for sharing rich, scripted documents — and the sandbox above is what protects users instead of content scrubbing.
What we record about viewers
When someone opens one of your links, we record the timestamp, a hashed IP address, the browser user-agent string, and the Slack user ID if the viewer is signed in. Raw IP addresses are never written to disk: every IP is HMAC-hashed with a server-side secret before storage, which means we can detect repeat views without retaining the underlying IP.
Viewer telemetry is cascade-deleted when the link is deleted or the owner deletes their account. See the Privacy Policy for the full data inventory and your rights under GDPR.
Authentication and session
Sign-in goes through Slack OAuth and (for accounts that have linked one) Google OAuth. We do not store passwords. The session cookie is an HMAC-signed value, marked HttpOnly, Secure, and SameSite, which prevents JavaScript on any page — including uploaded HTML — from reading it and prevents cross-site request forgery on state-changing endpoints.
Link controls owners can use
- Revoke a link instantly. Future opens return a revoked-link page.
- Expire a link on a chosen date.
- Restrict to your workspace. Slack-uploaded links default to workspace-only access; viewers outside the workspace are challenged to sign in.
- Delete the file, its metadata, and all viewer telemetry tied to it.
- Audit log. Every owner action on a link (rename, permission change, expiry change, revoke, delete) is recorded with a timestamp, so you can see the history of a link.
From your account page you can also export all of your data as JSON or delete your account entirely; deletion cascades to files, links, telemetry, and audit log.
Discoverability
Link pages are served with X-Robots-Tag: noindex, nofollow so they do not appear in search engines. Referrer-Policy: no-referrer ensures the link itself is not leaked to third parties when a viewer clicks a link inside the document.
What we don't have (yet)
Pagepost is currently operated as a small, single-operator project. We want to be clear about the boundaries of our current security posture:
- No SOC 2, ISO 27001, or HIPAA certification. If your organisation requires one of these for vendor approval, Pagepost is not the right fit today.
- No formal SLA or uptime guarantee. The service is provided as-is during the current testing phase.
- No customer-managed encryption keys. Encryption keys are held by Pagepost.
- No region selection for data residency. Hosting and storage are operated by Vercel and Turso; data may transit and rest in the United States. See §4 of the Privacy Policy for the legal basis.
- No bug bounty program. Responsible disclosure is handled informally over email (see below).
If any of these would block you from using Pagepost for sensitive work, please tell us — knowing what is missing helps us prioritise. For organisations with stricter data-residency, compliance, or air-gapped-network requirements, we can also discuss an in-house installation of Pagepost running on your own infrastructure; contact us at hello@pagepost.app to scope it.
Reporting a vulnerability
If you believe you have found a security issue in Pagepost, email security@pagepost.app with a description of the issue and steps to reproduce. Please do not publicly disclose the issue until we have had a reasonable opportunity to respond. We aim to acknowledge reports within a few business days.