Security
Security
Last updated: June 2026 · QRDoc by Ashwinkumar D Basari
🔐
Security is built into QRDoc's architecture, not bolted on. This page details how QRDoc is secured and how to responsibly disclose security vulnerabilities.
🏗️ Security Architecture Overview
| Security Property | Implementation | Status |
|---|
| No server-side processing | All logic runs in-browser JS | Active |
| Content Security Policy | Strict CSP via HTTP meta tag | Active |
| Subresource Integrity | SRI hash on third-party JS library | Active |
| XSS protection | DOM sanitisation, no innerHTML with user input | Active |
| HTTPS enforcement | upgrade-insecure-requests CSP directive | Active |
| Clickjacking prevention | X-Frame-Options: DENY + CSP frame-ancestors | Active |
| CRLF injection prevention | Input sanitisation before QR encoding | Active |
🛡️ Content Security Policy
- Restricts script execution to
'self' and inline scripts. - Sets
connect-src 'self', technically preventing outbound network requests to external servers. - Blocks all framing via
frame-ancestors 'none'. - Enforces HTTPS via
upgrade-insecure-requests.
connect-src 'self' is a technical enforcement that your document URLs cannot be transmitted to any external server.
📦 Third-Party Library Security
- One external JS library: qrcode-generator by Kazuhiko Arase, via Cloudflare CDN.
- Loaded with a Subresource Integrity (SRI) hash.
- Your browser verifies the file before executing it; if the hash does not match, the library will not load.
- No other third-party scripts are loaded.
👤 User Responsibilities
- Verify that your cloud document is shared with the intended permission level.
- Do not generate QR codes linking to sensitive documents unless you intend for recipients to access them.
- Be cautious about where you display QR codes — anyone who scans them can access the linked document.
- Use strong, unique passwords to protect your cloud storage accounts.
QRDoc generates QR codes correctly — but the security of the underlying document depends on your cloud provider settings, not QRDoc.
🔍 Responsible Disclosure
- Do not publicly disclose the vulnerability until a fix has been implemented.
- Do not exploit the vulnerability beyond what is necessary to demonstrate it.
- Provide sufficient detail to reproduce and fix the issue.
- Allow reasonable time for the issue to be addressed.
To report: Use the
Contact page and mark your message as confidential. We aim to acknowledge within
48 hours.
🔄 Security Updates
Security improvements are implemented on an ongoing basis. If you are deploying QRDoc yourself, ensure you are using the latest version from the official repository.