Here's exactly what happens to your files and how the protections work — no hand-waving. If any of this matters for what you're about to publish, read it first.
links are unlisted, not secretA plain link (like /brisk-otter-4f9c) is a random, unguessable name — but anyone who has the link can open the page. There's no login wall on a plain link. Don't rely on the URL being hard to guess to protect something sensitive; add a password instead.
everything over HTTPSThe CLI uploads over TLS, and every page is served over TLS. Nothing about your files travels in the clear.
passwords are hashed, never stored--password puts a one-word gate in front of a page. We never keep the word itself — only a PBKDF2-HMAC-SHA256 hash with a per-site random salt (100k iterations). The gate is checked at the edge; unlocking sets a short-lived signed cookie (24h) so we don't cache or expose the page. It's a shared-secret gate to keep unintended eyes out — good for a client draft, not a replacement for real per-person accounts on highly sensitive data.
your pages can't touch our sessionHosted pages are your own HTML and JavaScript, served from our domain. Each one is locked into a browser sandbox on its own isolated origin, so a page can't read your login cookie, your account, or any other user's page — even though it runs real scripts. Uploads also carry nosniff so the browser can't be tricked about a file's type.
API keys are hashed at restWe store only a SHA-256 hash of each key — the plaintext is shown once, at creation. The CLI keeps your token locally in ~/.heresyour/config.json. Revoke any key from the dashboard and it stops working immediately.
you can delete anythingDelete a site from the dashboard and its files are removed from storage. Because we host and serve your files, we're technically able to access their contents — so treat a published page like something on the open web, not a private vault.
⚠️
Rule of thumb: a link is publishing, not private storage. Passwords keep casual viewers out; they don't make a page a secure document. If it's truly sensitive — credentials, PII, anything you'd regret leaking — don't put it in a page you're about to hand out as a link.