Keep the route local
The server binds to a selected private LAN address instead of exposing every network interface.
FluxDrop reduces exposure with direct local transfer, HTTPS, strong random links, short expirations, explicit PC approval, and v0.3.0 hardening around upload scope, token validation, local storage, and client-IP-bound approvals. It also states clearly what self-signed local TLS cannot protect against.
The server binds to a selected private LAN address instead of exposing every network interface.
Token-bearing pages, metadata, uploads, and downloads use HTTPS after certificate acceptance.
Links use 160 bits of CSPRNG entropy, live only in memory, and expire automatically.
PC approval is required by default before a phone can download or upload a file.
These changes keep the local-only model intact while tightening token handling, browser policy, upload behavior, and history/storage boundaries.
Downloads and uploads approved on the PC are bound to the phone IP that requested them.
Unlimited streaming applies only to the file upload route; JSON metadata keeps Axum's default cap.
Routes require FluxDrop's exact 27-character URL-safe token shape and malformed upload status checks count toward rate limits.
QR images render through data URIs, transfer pages use a stricter CSP, and desktop WebView policy blocks object, base, and frame injection.
Incoming names and generated archive paths sanitize Windows device names and overlong filename components.
Settings and history saves replace files atomically, and CSV export neutralizes spreadsheet formula prefixes in user-controlled fields.
FluxDrop generates a certificate for the PC's selected local IP. Because it is self-signed instead of issued by a public certificate authority, your browser cannot automatically verify the PC's identity.
The QR code first opens a generic HTTP instruction page. The secure destination is held in the URL fragment, which is not sent in that HTTP request. After you proceed through the certificate screen, token-bearing requests and file data use HTTPS.
FluxDrop is designed for a trusted PC and phone on a trusted private network.
HTTPS after local certificate acceptance.
Protected27-character URL-safe, 160-bit random tokens plus per-IP rate limiting.
ProtectedPC approval, client-IP binding, short expiration, and single-use links.
ReducedMetadata endpoints keep request body caps; large files stream only after the approved upload path is used.
ProtectedPrivate history mode and scrub controls remove saved repeat paths while preserving metadata.
ReducedSelf-signed TLS does not authenticate the PC to the phone.
Not preventedEndpoint compromise is outside FluxDrop's threat model.
Out of scopePlease use a GitHub private security advisory for token bypasses, path exposure, remote code execution, or local network attack findings. Do not open a public issue first.