Security

How socials.download handles links and media

You hand us a third-party URL, so it's fair to ask exactly what happens to it. This page says so plainly, including the parts that aren't reassuring.

Transport

Everything is served over HTTPS. HSTS is applied at the edge by our host. Responses set X-Content-Type-Options: nosniff, a Referrer-Policy, frame protections, and a restrictive Permissions-Policy.

The link you submit

Submitted URLs are sent in the body of a POST request, not in a query string, so they don’t end up in browser history, in a shareable address, or in a referrer header. The backend uses the URL to resolve the requested public media and to deliver it back to you.

The media itself

Media streams through on demand and is not written to socials.download object storage on the live free tier. There is no permanent free-tier library, and there is nothing to browse later. That also means we can’t recover a file for you after the fact.

Logs and rate limiting

Rate limiting stores a one-way hash of request signals rather than your raw IP address. That is pseudonymous, not anonymous — a hash of a value from a small space is still personal data, and we don’t claim otherwise. Standard security and server logs can contain IP addresses and are retained for about 30 days.

Analytics and advertising

Aggregate analytics are handled by Vercel Analytics. Google AdSense loads only after applicable consent, and when it does, it receives request data including your IP address and user agent. That is disclosed in full in the Privacy Policy.

Browser extension

The browser extension is not publicly released and has no store listing. Nothing currently supported requires it. If it ships, its permissions and data handling will be documented here before it does.

What we don't claim

We don’t offer end-to-end encryption, zero-knowledge handling, zero logs, anonymous infrastructure, or tamper-proof storage, and we don’t claim that a download is invisible to the source platform. What a platform records on its own side is outside our control.

Reporting a vulnerability

Email contact@socials.download with details and reproduction steps. Please give us a reasonable window to respond before disclosing publicly. We don’t currently run a paid bounty.