Security

Last updated: 2026-04-01

1) Threat model (high level)

Abuse of redirects for phishing/malware distribution.
Credential theft / account takeover attempts.
Data leakage through analytics collection or logs.
Infrastructure misuse via automation or high-rate traffic.

2) Controls

Destination validation (blocked unsafe URL schemes).
Reserved system slugs on first-party domains.
Managed-domain loop prevention to reduce redirect loops.
Rate limiting and quota enforcement to reduce abuse.
Bot flagging for cleaner analytics.

3) Encryption

Connections to Nimriz are served over HTTPS. Service providers used for storage and edge execution provide encryption in transit and support encryption at rest for managed data stores.

4) Analytics privacy

Privacy mode is enabled by default for new accounts. When enabled, IP and User-Agent are omitted from analytics events. When disabled, only daily-salted hashes may be stored to support per-day deduplication without long-term tracking.

Raw click events are handled through append-only analytics infrastructure, while dashboard reporting relies on aggregated summaries rather than per-click writes to the primary database.

5) Secrets handling

Operational secrets (API keys, hashing salts, service credentials) are stored in secure server-side configuration and are not intended to be exposed to client-side code.

6) Access controls

Authentication gates dashboard access.
Server-side management APIs are authenticated for private domains.
Admin-only operations exist for takedown and safety response.

7) Incident response

If we detect abuse or security issues, we may disable links/domains, suspend accounts, and investigate logs and events to contain the impact.

To report phishing or malware, use Report abuse.

8) Vulnerability reporting

Email security@nimriz.com with details, reproduction steps, and impact assessment. Please avoid including sensitive personal data in your report.

9) Related policies

See our Trust, Privacy Policy, Terms of Service, and Refund Policy.