built-in · all plans

security baked in,
not bolted on

TOTP two-factor auth, password-gated content, HMAC-signed tokens, AES-GCM encrypted secrets, AI URL screening on every link. Concrete defenses at every layer — not a "security" page full of "industry-leading" hand-waving.

try it free → see system status
▮ layered defense

five layers, one account.

An attacker has to beat every layer in order. Each one is a distinct, standard primitive — not a single wall with a single failure mode.

01 identity

totp 2fa at sign-in

RFC 6238 codes from any authenticator app, with single-use backup codes for recovery. The outermost gate on your account.

02 access

password gating

PBKDF2-SHA256 + timing-safe comparison guards individual short links and bio pages. Cookie-based unlock, no retype.

03 content

ai url screening

Cloudflare Workers AI classifies every destination at create time. Phishing, malware, and spam are rejected before they ship.

04 integrity

hmac-signed tokens

Unsubscribe, subscriber-removal, admin sessions, and outbound webhooks are HMAC-SHA256 signed. Unforgeable, non-replayable.

05 storage

encryption at rest

AES-GCM on sensitive D1 secrets, keyed from BETTER_AUTH_SECRET. A stolen database export reveals nothing usable.

settings → security → 2fa enabled 
# step 1 — scan with your authenticator
# google authenticator · 1password · authy · raycast
secret = "JBSWY3DPEHPK3PXP"
algorithm = "SHA1"  digits = 6  period = 30

# step 2 — save these backup codes (shown once)
a4f8-9c2e  b7d1-3e09  c2a5-8f1b
d6e3-7c40  e9b2-1d57  f3c8-5a26

# step 3 — verify before activating
verify 9 4 2 1 7 5
 two-factor authentication enabled
standard totp

RFC 6238. Works with every authenticator app on the planet — no custom codes, no vendor lock-in.

backup codes shown once

Six single-use codes. Copy + store in a password manager. We never show them again — that's the point.

verify before activating

We don't flip 2FA on until you successfully enter a code. Stops attackers from locking you out by enabling it with their secret.

login + backup-code fallback

Sign-in form prompts for your 6-digit code. Lost your phone? Use a backup code instead — same form, one click to swap.

▮ surface

eight concrete defenses.

Each one names a real thing in the codebase — not a vague trust badge.

totp two-factor auth

Compatible with any authenticator app (Google Authenticator, 1Password, Authy, Raycast). Backup codes generated at enrollment for account recovery.

password-gated content

Short links AND bio pages can require a password. PBKDF2-SHA256 hashing with timing-safe comparison. Cookie-based unlock so visitors don't retype on every navigation.

ai url harm classification

Every shortened URL screened by Cloudflare Workers AI before it ships. Phishing, malware, spam — flagged + rejected at create time so your domain can't be turned into a phishing factory.

hmac-signed tokens

Unsubscribe links, subscriber removal, and admin sessions all use HMAC-SHA256 signatures. Tokens can't be forged, can't be cross-replayed between types — one signature, one purpose.

aes-gcm encryption at rest

Sensitive secrets (Resend API key, Stripe webhook secret) encrypted in D1 with a key derived from BETTER_AUTH_SECRET. Compromised D1 export ≠ compromised secrets.

webhook hmac delivery

Outbound webhooks signed with X-C3lt-Signature: sha256=… so receivers can verify the payload came from us, not a spoofed origin.

reports + admin moderation

Public report flow on every bio page and short link. Admin queue with review workflow. Bad actors suspended fast — your reputation stays clean.

per-ip rate limiting

Public endpoints (demo shortener, subscriber capture, password attempts) rate-limited per CF-Connecting-IP via KV. No spam, no brute force, no infinite reset loop.

▮ approach

how we approach it.

1

never roll our own crypto

PBKDF2 + Web Crypto for passwords. HMAC-SHA256 for token signing. AES-GCM for at-rest encryption. AbortSignal.timeout for network bounds. All standard primitives, no clever inventions.

2

defense in depth

Frame-ancestors CSP on the bio page so it can't be embedded for clickjacking. KV per-IP rate limit on every public POST. Plan checks server-side AND client-side. No single layer is the only thing keeping you safe.

3

minimum viable data

We don't store IP addresses long-term. Bot user-agents tagged so you can exclude them. Sensitive secrets encrypted in D1. The less we hold, the less anyone can take.

4

edge-served, no origin

Redirects, bio pages, and most APIs run entirely on Cloudflare Workers. There is no origin server, no SSH key, no admin SSH session, no rsync window. The attack surface is the codebase itself.

TOTP
RFC 6238
Standard 2FA, no vendor lock-in
AES-256
GCM at rest
Secrets encrypted in D1
PBKDF2
Password hashing
Web Crypto, timing-safe
HMAC-256
Token signing
Unsubscribe + webhooks

built to be trustworthy.

Free forever. Enable 2FA in 60 seconds. No credit card.

start for free → see all features