Security Policy

Effective date: 26 June 2026


Scope

This policy covers the security posture of Dropframe — the platform at dropframe.run, the API at api.dropframe.run, deployed apps at {id}.dropframe.run, and the dropframe-mcp npm package.


Architecture

Dropframe has a minimal attack surface by design.

User / LLM
    │
    ▼
api.dropframe.run          Cloudflare Worker — receives deploy/update/delete/list requests
    │
    ▼
Cloudflare KV              Key-Value storage — stores raw HTML keyed by app ID
    │
    ▼
{id}.dropframe.run         Cloudflare Worker — reads from KV, wraps in iframe shell, serves

There are Workers, a KV namespace, and a D1 SQLite database. No VMs. No persistent server processes.


Sandboxing

Every deployed app is served inside an iframe with the following sandbox attribute:

sandbox="allow-scripts allow-forms allow-same-origin"

This means deployed apps:

The sandbox is enforced by the browser. It is not a substitute for reviewing what you deploy.


Transport security


Authentication

Tier Auth mechanism
Free None required. API is rate-limited per IP.
Paid / Pro Clerk JWT authentication (web) or MCP bearer token (e.g. df_<token>). Tokens are transmitted over HTTPS and verified using SHA-256 matches in D1.

MCP tokens and session cookies are transmitted over HTTPS and stored securely as hashed values.


Rate limiting

The API (api.dropframe.run) enforces rate limits at the Cloudflare Worker layer:

Requests that exceed rate limits receive 429 Too Many Requests. Repeated abuse may result in IP-level blocking.


Data isolation

Each deployed app is stored as an isolated blob keyed by its app ID. There is no shared storage, shared state, or cross-app access at the storage layer. The serve Worker reads only the blob corresponding to the requested subdomain.


Dependency and supply chain

The dropframe-mcp npm package has a minimal dependency tree. Dependencies are pinned to exact versions in production builds. We review dependencies for known vulnerabilities before each release.

Cloudflare Workers run in V8 isolates. There is no Node.js runtime in production Workers.


Responsible disclosure

We take security reports seriously. If you discover a vulnerability in Dropframe, please disclose it responsibly before publishing.

Contact: hello@dropframe.run
Subject line: Security Disclosure

Please include:

We will acknowledge your report within 2 business days and aim to resolve confirmed vulnerabilities within 30 days, depending on severity.

We do not currently offer a bug bounty programme. We will credit researchers who report valid vulnerabilities in our security changelog, if they wish.

We ask that you:


Incident response

In the event of a confirmed security incident:

  1. We will isolate affected systems.
  2. We will notify affected users by email if personal data is involved.
  3. We will post a public disclosure on dropframe.run/security once the incident is contained.
  4. Where required by law (e.g. GDPR Article 33), we will notify the relevant supervisory authority within 72 hours of becoming aware of a personal data breach.

Security changelog

Material security changes will be documented here with dates.

Date Change
26 Jun 2026 Initial policy published

Contact

Email: hello@dropframe.run
Website: dropframe.run