# Security at iDrop iDrop is built with security at every layer — from how you log in, to how your files are stored and transmitted, to how you share content with others. This page explains the security measures in place to protect your data. --- ## Two-Factor Authentication (2FA) Two-factor authentication adds an extra layer of protection to your iDrop account. Even if someone obtains your password, they cannot log in without the second factor from your authenticator app. ### How It Works When 2FA is enabled, logging in requires two things: 1. **Your password** — something you know. 2. **A 6-digit code** from your authenticator app — something you have. ### Supported Authenticator Apps iDrop works with any TOTP-compatible authenticator app, including: - Google Authenticator - Authy - 1Password - Microsoft Authenticator - Bitwarden ### Enabling 2FA 1. Go to **Settings → Two-Factor Auth**. 2. Click **Enable 2FA**. 3. Scan the QR code with your authenticator app, or copy the setup key and enter it manually. 4. Click **Continue**. 5. Enter the 6-digit code from your authenticator app to verify the setup. 6. Click **Confirm** to activate 2FA. ### Recovery Codes After enabling 2FA, you receive a set of one-time-use recovery codes. These let you access your account if you lose your authenticator device. - Click **View Recovery Codes** to reveal them. - Store them in a safe location like a password manager. - Click **Regenerate Codes** to create new codes (this invalidates the old ones). ### Disabling 2FA To disable 2FA, go to **Settings → Two-Factor Auth** and click **Disable 2FA**. --- ## Cloudflare Security All traffic to and from iDrop passes through Cloudflare's global network, which provides multiple layers of protection. ### DDoS Protection Cloudflare automatically detects and mitigates distributed denial-of-service (DDoS) attacks, ensuring iDrop remains available even during an attack. ### Web Application Firewall (WAF) Cloudflare's WAF inspects incoming requests and blocks common attack patterns including SQL injection, cross-site scripting (XSS), and other OWASP Top 10 threats. ### Bot Protection Automated bots and credential-stuffing attacks are identified and blocked before they reach iDrop's servers. ### Global CDN Static assets are cached and served from Cloudflare's edge network, improving performance while reducing exposure of origin servers. --- ## Encryption at Rest (SSE-S3 / AES-256) All files stored in iDrop are encrypted at rest using **Server-Side Encryption with Amazon S3-Managed Keys (SSE-S3)**. ### How It Works - Every file uploaded to iDrop is automatically encrypted before being written to disk using **AES-256** (Advanced Encryption Standard with 256-bit keys). - Encryption keys are managed and rotated by Amazon S3 — no action is required from users. - When a file is accessed, it is automatically decrypted before delivery. ### What This Means for You - Your files are protected even if the underlying storage media were to be physically compromised. - Encryption and decryption happen transparently — there is no impact on upload or download performance. - AES-256 is one of the strongest encryption standards available, used by governments and financial institutions worldwide. --- ## Encryption in Transit (SSL/TLS) All data transmitted between your browser and iDrop is encrypted using **SSL/TLS** (Secure Sockets Layer / Transport Layer Security). ### How It Works - Every connection to iDrop uses **HTTPS**, ensuring all data in transit is encrypted. - iDrop enforces TLS 1.2 or higher, which protects against known vulnerabilities in older protocols. - SSL/TLS certificates are automatically managed and renewed. ### What This Protects Against - **Eavesdropping** — Third parties cannot read the data being transmitted between your browser and iDrop. - **Man-in-the-middle attacks** — Attackers cannot intercept or alter data in transit. - **Data tampering** — Files and metadata cannot be modified during transfer. ### End-to-End Protection Combined with encryption at rest, your files are protected at every stage: 1. **In transit** — Encrypted via SSL/TLS as they travel between your browser and iDrop. 2. **At rest** — Encrypted via AES-256 while stored on iDrop's servers. 3. **On delivery** — Re-encrypted via SSL/TLS when downloaded by you or your share recipients. --- ## Password-Protected Shares and Requests iDrop lets you add password protection to shared folders, shared files, and file upload requests for an additional layer of access control. ### Password-Protected Shares When creating or editing a share link, you can enable **Require Password** to protect the content: - Recipients must enter the correct password before they can view or download any shared content. - The password is set by you when creating the share and can be changed at any time. - Share the password with recipients through a separate channel (e.g., a text message or phone call) rather than alongside the link. ### Password-Protected File Requests When creating a file upload request, you can set a password: - Senders must enter the password before they can upload files to your request folder. - This prevents unauthorized users from submitting files even if they obtain the request link. ### Best Practices for Share and Request Passwords - **Use strong passwords** — Combine uppercase and lowercase letters, numbers, and symbols. - **Deliver passwords separately** — Never include the password in the same message as the share or request link. - **Rotate passwords** — For long-lived shares, change the password periodically by editing the share settings. - **Use expiration dates** — Combine password protection with an expiration period for time-limited access. --- ## Summary | Layer | Technology | Protection | |---|---|---| | Login | Two-Factor Authentication (2FA) | Prevents unauthorized account access | | Network | Cloudflare (DDoS, WAF, Bot Protection) | Blocks attacks before they reach iDrop | | In Transit | SSL/TLS (TLS 1.2+) | Encrypts all data between browser and server | | At Rest | SSE-S3 (AES-256) | Encrypts all stored files on disk | | Sharing | Password Protection | Controls access to shared content and upload requests |