Security model

Security claims you can verify, with limits you can see.

FluxDrop reduces exposure with direct local transfer, HTTPS, strong random links, short expirations, explicit PC approval, and v0.3.0 hardening around upload scope, token validation, local storage, and client-IP-bound approvals. It also states clearly what self-signed local TLS cannot protect against.

Four layers around a short-lived local connection.

01

Keep the route local

The server binds to a selected private LAN address instead of exposing every network interface.

02

Encrypt transfer traffic

Token-bearing pages, metadata, uploads, and downloads use HTTPS after certificate acceptance.

03

Minimize the access window

Links use 160 bits of CSPRNG entropy, live only in memory, and expire automatically.

04

Keep a human in the loop

PC approval is required by default before a phone can download or upload a file.

The newest release closes off avoidable edge cases.

These changes keep the local-only model intact while tightening token handling, browser policy, upload behavior, and history/storage boundaries.

01

Approval follows the requesting phone

Downloads and uploads approved on the PC are bound to the phone IP that requested them.

02

Upload body limits stay scoped

Unlimited streaming applies only to the file upload route; JSON metadata keeps Axum's default cap.

03

Token probes are stricter

Routes require FluxDrop's exact 27-character URL-safe token shape and malformed upload status checks count toward rate limits.

04

Rendered pages are tighter

QR images render through data URIs, transfer pages use a stricter CSP, and desktop WebView policy blocks object, base, and frame injection.

05

Filenames and archives are safer

Incoming names and generated archive paths sanitize Windows device names and overlong filename components.

06

Local records fail safer

Settings and history saves replace files atomically, and CSV export neutralizes spreadsheet formula prefixes in user-controlled fields.

Why your phone may show a warning the first time.

FluxDrop generates a certificate for the PC's selected local IP. Because it is self-signed instead of issued by a public certificate authority, your browser cannot automatically verify the PC's identity.

The QR code first opens a generic HTTP instruction page. The secure destination is held in the URL fragment, which is not sent in that HTTP request. After you proceed through the certificate screen, token-bearing requests and file data use HTTPS.

1ScanGeneric local page
2AcceptLocal certificate
3TransferEncrypted HTTPS

Protection depends on the attacker.

FluxDrop is designed for a trusted PC and phone on a trusted private network.

ThreatMitigationCoverage
Passive Wi-Fi observation

HTTPS after local certificate acceptance.

Protected
Link guessing

27-character URL-safe, 160-bit random tokens plus per-IP rate limiting.

Protected
Someone sees the QR code

PC approval, client-IP binding, short expiration, and single-use links.

Reduced
Oversized upload metadata

Metadata endpoints keep request body caps; large files stream only after the approved upload path is used.

Protected
Local history exposure

Private history mode and scrub controls remove saved repeat paths while preserving metadata.

Reduced
Active LAN man-in-the-middle

Self-signed TLS does not authenticate the PC to the phone.

Not prevented
Compromised PC or phone

Endpoint compromise is outside FluxDrop's threat model.

Out of scope

A private network is part of the security boundary.

  • Use FluxDrop on a home, office, or other network you trust.
  • Avoid guest Wi-Fi and public hotspots where client isolation or hostile peers may be present.
  • Confirm the requesting phone IP and file details before approving.
  • Cancel active links when you no longer need them.
  • Use private history mode when repeat shortcuts are less important than avoiding saved local paths.
  • Do not bypass a certificate warning if the local IP is not the one shown in FluxDrop.

Report it privately.

Please use a GitHub private security advisory for token bypasses, path exposure, remote code execution, or local network attack findings. Do not open a public issue first.