Threat model
- Abuse of redirects for phishing/malware distribution.
- Credential theft / account takeover attempts.
- Data leakage through analytics collection or logs.
- Infrastructure misuse via automation or high-rate traffic.
Security
Security controls for link infrastructure evaluators
Last updated: 2026-04-01. This page summarizes the main security, privacy, and abuse-prevention controls behind Nimriz.
HTTPS
Served over encrypted connections
Validated
Destination and reserved path controls
Private
Privacy mode defaults on
Security overview
Controls Nimriz applies around redirects, data, and access
These summaries keep the security page scannable while preserving the detailed policy links evaluators need.
Controls
- Destination validation (blocked unsafe URL schemes).
- Reserved system slugs on first-party domains.
- Managed-domain loop prevention to reduce redirect loops.
- Rate limiting and quota enforcement to reduce abuse.
- Bot flagging for cleaner analytics.
Encryption and secrets
Connections to Nimriz are served over HTTPS. Service providers used for storage and edge execution provide encryption in transit and support encryption at rest for managed data stores.
Operational secrets are stored in secure server-side configuration and are not intended to be exposed to client-side code.
Access and response
- Authentication gates dashboard access.
- Server-side management APIs are authenticated for private domains.
- Admin-only operations exist for takedown and safety response.
Analytics privacy
Privacy mode is enabled by default for new accounts. When enabled, IP and User-Agent are omitted from analytics events. When disabled, only daily-salted hashes may be stored to support per-day deduplication without long-term tracking.
Raw click events are handled through append-only analytics infrastructure, while dashboard reporting relies on aggregated summaries rather than per-click writes to the primary database.
Report vulnerabilities or abuse
For vulnerability reports, email security@nimriz.com with details, reproduction steps, and impact assessment. For phishing or malware, use the abuse report path.