Six Layers of Defense
Every feature listed here is deployed in production and protecting your data right now. No vaporware, no roadmap promises — just real security.
Two-Factor Authentication
TOTP-based 2FA via authenticator apps with 10 backup codes per account, replay attack prevention, and 2-window clock drift tolerance.
AES-256-GCM Encryption
All data at rest is encrypted using AES-256-GCM authenticated encryption with random IVs per operation. In transit, every connection is TLS-enforced with HSTS.
Granular Role-Based Access
30+ permissions with a resource:action model across 4 system roles. Scoped at organization and team levels with custom role creation and hierarchy.
6-Tier Rate Limiting
Multi-tier protection across Global, IP, User, Organization, API Key, and Endpoint levels using Sliding Window, Token Bucket, Fixed Window, and Leaky Bucket algorithms.
Secure API Key Management
Prefixed keys (lzly_live_ / lzly_test_) hashed with SHA-256 and never stored in plaintext. Each key supports IP whitelists, origin whitelists, and scoped permissions.
Full Audit Trail
Every account action, API call, and configuration change is logged with user, IP, user agent, geolocation, severity level, and before/after values. Exportable to CSV and JSON.
Every Link Gets Its Own Security Policy
Most platforms secure the platform. Linkzly secures every individual link. Password-protect sensitive content, restrict by geography, limit by domain, or set expiration rules — per link.
Password-Protected Links
Require a password to access any link. Passwords are hashed and never stored in plaintext.
Domain Whitelisting
Restrict where your links can be accessed from with allowed domains configuration.
Geographic Blocking
Block access from specific countries. Perfect for region-locked campaigns or compliance.
Expiration & Click Limits
Set links to expire by date or after a maximum number of clicks for time-sensitive content.
Per-Link Controls
Password, geo, expiry
AES-256-GCM
Authenticated encryption
Hardened from Edge to Database
Security is baked into every layer. From Cloudflare Workers validating JWTs at the edge to Zod schema validation on every input, your data is protected at every hop.
Cloudflare Edge Security
JWT and HMAC-SHA256 validation at the edge via Cloudflare Workers with tenant isolation and DDoS protection.
Encrypted Data Storage
Sensitive data encrypted at rest with AES-256-GCM. Tokens, API keys, and passwords are hashed with SHA-256 — never stored in plaintext.
Zod Input Validation
Every request validated with Zod schemas across body, query, params, and headers. XSS prevention via sanitizeString().
CloudFront TLS 1.2+
HTTP/2 and HTTP/3 support with TLSv1.2_2021 policy enforcement. Least-privilege IAM policies per service.
Defense in Depth
Security headers on every response. Cryptographic webhook signatures on every callback. Every connection is hardened by default.
Security Headers
Every HTTP response includes hardened security headers to prevent clickjacking, XSS, MIME sniffing, and data leaks.
Strict-Transport-SecurityHSTS enforcedX-Content-Type-OptionsnosniffX-Frame-OptionsDENYX-XSS-Protection1; mode=blockReferrer-Policystrict-originPermissions-PolicyRestrictedWebhook Security
Every webhook callback is signed with HMAC-SHA256 and verified with timing-safe comparison. Failed hooks are managed automatically.
HMAC-SHA256 Signatures
Cryptographic signature on every webhook payload for tamper-proof delivery
Timing-Safe Verification
Constant-time comparison prevents timing-based side-channel attacks
HTTPS Required
Webhook endpoints must use HTTPS with no exceptions
Health Scoring (0-100)
Automatic health tracking with suspension on excessive failures and max retries
Privacy-First by Design, Not by Patch
Linkzly was architected with privacy regulations like GDPR, CCPA, and ATT in mind from day one. Data minimization and user control are built into the core.
GDPR
Designed for European data protection requirements
CCPA
Designed for California consumer privacy compliance
ATT
App Tracking Transparency ready for iOS privacy
Custom Domains
Token-based verification with SSL auto-renewal and HSTS
Full Control in Your Hands
The Linkzly console gives you direct access to every security feature. Manage 2FA, review sessions, rotate API keys, and export audit logs — all from one place.
2FA Management
Set up TOTP authenticator with QR code, generate backup codes, and manage recovery options.
Session Management
View all active sessions with device details. Revoke any session instantly from the dashboard.
Audit Trail
Full activity history with filtering by action, user, and severity. Export to CSV or JSON.
API Key Management
Create, revoke, and regenerate keys. Set IP whitelists, origin restrictions, and permission scopes.
Team & Role Management
Invite members, assign roles, and configure granular permissions per team and organization.
Permission-Based UI
The console adapts to each user's permissions, showing only the features they are authorized to access.
If Something Goes Wrong, We're Ready
Our security operations team follows a proven four-step protocol designed for speed, transparency, and minimal impact.
Detect
Automated monitoring detects anomalies in real-time across all services.
Contain
Containment protocols isolate the threat and prevent lateral movement.
Analyze
Forensic analysis with full audit trail determines scope and root cause.
Communicate
Transparent, timely updates to all affected parties throughout resolution.
Report a Security Issue
Found a vulnerability? We take every report seriously and respond promptly.
security@linkzly.com