Security Policy
Effective date: 26 June 2026
Scope
This policy covers the security posture of Dropframe — the platform at dropframe.run, the API at api.dropframe.run, deployed apps at {id}.dropframe.run, and the dropframe-mcp npm package.
Architecture
Dropframe has a minimal attack surface by design.
User / LLM
│
▼
api.dropframe.run Cloudflare Worker — receives deploy/update/delete/list requests
│
▼
Cloudflare KV Key-Value storage — stores raw HTML keyed by app ID
│
▼
{id}.dropframe.run Cloudflare Worker — reads from KV, wraps in iframe shell, serves
There are Workers, a KV namespace, and a D1 SQLite database. No VMs. No persistent server processes.
Sandboxing
Every deployed app is served inside an iframe with the following sandbox attribute:
sandbox="allow-scripts allow-forms allow-same-origin"
This means deployed apps:
- Can run JavaScript and submit forms
- Cannot navigate the top-level frame
- Cannot open pop-ups
- Cannot access the parent
dropframe.runorigin - Cannot use the browser's storage APIs (
localStorage,indexedDB) across origins
The sandbox is enforced by the browser. It is not a substitute for reviewing what you deploy.
Transport security
- All traffic to
dropframe.run,api.dropframe.run, and*.dropframe.runis HTTPS-only. - HSTS (HTTP Strict Transport Security) is enabled with a minimum max-age of 1 year.
- TLS 1.2 minimum. TLS 1.3 preferred.
- Certificates are managed by Cloudflare.
Authentication
| Tier | Auth mechanism |
|---|---|
| Free | None required. API is rate-limited per IP. |
| Paid / Pro | Clerk JWT authentication (web) or MCP bearer token (e.g. df_<token>). Tokens are transmitted over HTTPS and verified using SHA-256 matches in D1. |
MCP tokens and session cookies are transmitted over HTTPS and stored securely as hashed values.
Rate limiting
The API (api.dropframe.run) enforces rate limits at the Cloudflare Worker layer:
- Free tier: 20 deployments per hour per IP (tracked securely via IP hashing)
- Pro tier: Higher limits per plan; stated in plan documentation
Requests that exceed rate limits receive 429 Too Many Requests. Repeated abuse may result in IP-level blocking.
Data isolation
Each deployed app is stored as an isolated blob keyed by its app ID. There is no shared storage, shared state, or cross-app access at the storage layer. The serve Worker reads only the blob corresponding to the requested subdomain.
Dependency and supply chain
The dropframe-mcp npm package has a minimal dependency tree. Dependencies are pinned to exact versions in production builds. We review dependencies for known vulnerabilities before each release.
Cloudflare Workers run in V8 isolates. There is no Node.js runtime in production Workers.
Responsible disclosure
We take security reports seriously. If you discover a vulnerability in Dropframe, please disclose it responsibly before publishing.
Contact: hello@dropframe.run
Subject line: Security Disclosure
Please include:
- A description of the vulnerability
- Steps to reproduce
- The potential impact
- Any proof-of-concept (do not deploy malicious content to production)
We will acknowledge your report within 2 business days and aim to resolve confirmed vulnerabilities within 30 days, depending on severity.
We do not currently offer a bug bounty programme. We will credit researchers who report valid vulnerabilities in our security changelog, if they wish.
We ask that you:
- Not access, modify, or delete other users' data
- Not deploy test payloads to production deployments
- Not disclose the vulnerability publicly until we have resolved it or agreed on a disclosure timeline
Incident response
In the event of a confirmed security incident:
- We will isolate affected systems.
- We will notify affected users by email if personal data is involved.
- We will post a public disclosure on dropframe.run/security once the incident is contained.
- Where required by law (e.g. GDPR Article 33), we will notify the relevant supervisory authority within 72 hours of becoming aware of a personal data breach.
Security changelog
Material security changes will be documented here with dates.
| Date | Change |
|---|---|
| 26 Jun 2026 | Initial policy published |
Contact
Email: hello@dropframe.run
Website: dropframe.run