Security

Simple architecture, clear boundaries.

Public traffic reaches StickTools over HTTPS at Cloudflare’s edge and travels through Cloudflare Tunnel to a loopback-bound application. The private dashboard is isolated from project hostnames and is intended to use Cloudflare Access plus local authentication in production.

Uploaded content is handled as untrusted static files. StickTools does not execute it server-side. Archive paths and file types are validated, deployments activate atomically, and dashboard and project cookies are scoped to their exact hosts.

A project password gate is useful for controlled sharing, but authorized viewers still receive the content in their browsers. It should not be treated as a protected-data vault.

Report a vulnerability

The operator has not yet published a security reporting address. The machine-readable security contact remains unavailable until a real contact is configured.