Security
Last updated: 1 July 2026.
OpenQR is built so there's as little of your data to protect as possible. Every QR code is generated entirely in your browser— the link, text or Wi-Fi password you type never reaches our servers. The optional account layer (dynamic codes, the dashboard, the API and MCP server) runs on Cloudflare's edge and is designed to be minimal and auditable. It's all open source, so you can verify these claims rather than trust them.
Reporting a vulnerability
If you believe you've found a security issue, please email security@openqr.uk with enough detail to reproduce it — the affected URL or endpoint, the steps you took, and the impact you believe it has. Please report privately and give us a reasonable chance to fix it before any public disclosure. We aim to acknowledge reports within 72 hours and to keep you updated as we investigate and ship a fix.
There's no paid bug-bounty programme, but we're genuinely grateful for good-faith reports and will happily credit you (with your permission) once an issue is resolved.
Safe harbour
We won't pursue or support legal action against anyone who reports a vulnerability in good faith and in line with this policy. To stay in good faith, please:
- Only test against your own account, codes and data — never access or modify anyone else's.
- Stop as soon as you've demonstrated a problem, and don't exfiltrate more data than needed to prove it.
- Avoid privacy violations, service degradation, data destruction, and disruption to other users.
- Give us reasonable time to remediate before disclosing publicly.
Out of scope
The following generally aren't things we'll treat as reportable vulnerabilities: volumetric or denial-of-service attacks, spam or social-engineering of our team or users, reports from automated scanners without a demonstrated impact, missing best-practice headers with no concrete exploit, and issues in third-party services we use (report those to the relevant provider). Testing must never involve DoS, mass-mailing, or accessing data that isn't yours.
How OpenQR is secured
- Static codes never touch our servers.They're rendered client-side, so there is no server-side copy of your QR content to leak.
- No passwords. Accounts use email magic linksonly — there's no password database to breach.
- API keys are stored hashed. We keep only a SHA-256 hash of your key, never the raw value, and keys are sent as a Bearer header over HTTPS — never in a URL.
- Dynamic-code destinations are safety-checked. On create and edit we reject non-public targets — private, internal and loopback hosts, non-
http(s)schemes, and short-link self-loops — to keep the redirector from being abused for phishing or SSRF. - Rate limits & abuse guards.Code creation is rate-limited per account, and malicious codes can be killed to protect users and the domain's reputation.
- Edge infrastructure.The sellable layer runs on Cloudflare Workers with D1/KV, behind Cloudflare's TLS and network protections — not a home server.
- Minimal, cookieless analytics. Scan and usage analytics are anonymous and store no IP addresses or personal identifiers. See our privacy policy.
Open source
OpenQR's code is public. If you want to check exactly how any of the above works — or run your own copy — read the source on GitHub. Licensing details are on our open source page.