[security.protocols]

Last updated: February 2026

Back to HomepageView Pricing

Security Philosophy

Quilon is built on a zero-knowledge architecture. Your data is encrypted on your device before it ever leaves — the server is a blind relay that never sees plaintext. Even if our servers were compromised, attackers would find only encrypted, unreadable data.

End-to-End Encryption

Encryption Algorithm

Quilon uses AES-256-CBC (Advanced Encryption Standard with 256-bit keys in Cipher Block Chaining mode) with HMAC-SHA256 (Encrypt-then-MAC) for all data encryption. This provides both confidentiality and integrity verification — tampering is detected and rejected.

Encryption Format

All encrypted data follows the format: Base64(salt[16] + iv[16] + ciphertext + hmac[32]). Each encryption operation uses a unique random salt and initialization vector (IV), ensuring identical plaintext produces different ciphertext every time.

Encryption Location

All encryption and decryption happens on your device before any data leaves it. Quilon servers never have access to unencrypted sync/share payloads. This applies to clipboard content, files, screenshots, and Private Share transfers.

Key Derivation

  • Sync payload keys are derived using PBKDF2-HMAC-SHA256 with 310,000 iterations and a random 16-byte salt
  • Private Share link keys are generated locally and passed via URL fragment (#key)
  • HMAC comparison uses timing-safe equality to prevent timing attacks

Zero-Knowledge Architecture

Quilon runs in a Zero-Knowledge model. Sync and sharing payloads are encrypted client-side and key custody remains on your devices.

What Quilon Can See

  • Your email address (for authentication)
  • Device identifiers (for Socket.io routing)
  • Encrypted blobs (unreadable without your key)
  • Data volume — chunk count reveals approximate file size

What Quilon Cannot See

  • Clipboard content, filenames, or file contents
  • Passwords, API keys, or any plaintext data
  • Screenshot content (encrypted before transmission)
  • Private Share file content in plaintext

Device Pairing (Zero-Knowledge)

Pairing between desktop and mobile uses QR codes with key material in the URL fragment. URL fragments are not sent in HTTP requests, so key material is not transmitted to the server.

  1. Desktop generates pairing QR data locally
  2. QR contains fragment key material in #pair=...
  3. Mobile extracts key data locally from the fragment
  4. Pairing QR expires after 2 minutes

Private Share Security

Private Share lets you send files to anyone via a link. The file is streamed directly from your desktop through our server to the recipient — nothing is stored on the server. The server acts as a blind relay for encrypted chunks.

How It Works

  1. Desktop generates a unique AES-256 key for each share
  2. Share link format: quilon.dev/s/<sessionId>#<key> — key in URL fragment, never sent to server
  3. File is split into encrypted chunks and streamed through the relay
  4. Chunks are relayed through server RAM only — zero disk storage
  5. Recipient decrypts chunks in browser using the key from the URL fragment

Security Properties

  • Zero-storage: No file data touches disk on the server
  • One receiver: Maximum one receiver per session prevents hijacking
  • Time-limited: Sessions auto-expire after 30 minutes
  • Rate-limited: Anonymous join attempts limited to 20/min per IP
  • Wormhole model: Sender must be online — no server-side buffering

Data Storage Policy

Quilon implements a relay-only architecture for all user content.

What We Don't Store

  • Clipboard content (encrypted and relayed in real-time, then discarded)
  • File transfer data (streamed through server RAM only)
  • Private Share files (zero-storage, relay-only)
  • Screenshots or images in transit
  • Any plaintext user content

What We Do Store

  • Account information (email, hashed password)
  • Subscription status (via LemonSqueezy)
  • App release metadata (version numbers and release download references)

Rate Limiting

Quilon enforces rate limits to prevent abuse:

  • Clipboard sync: 30 clips/min per user
  • File transfer chunks: 200 chunks/min per user
  • Private Share join: 20 attempts/min per IP
  • Share link creation API: 30 requests/min per IP

Authentication Security

Password Hashing

Passwords are hashed using bcrypt with a cost factor of 10. We never store plaintext passwords.

Session Management

  • JWT tokens for API and Socket.io authentication
  • Socket connections require valid JWT before any data relay
  • Anonymous access limited to Private Share receiver (sessionId-scoped)

Network Security

HTTPS/TLS

  • All data in transit is encrypted with HTTPS/TLS
  • Web and API endpoints are served over secure transport
  • WebSocket connections upgraded over TLS

API Security

  • All authenticated endpoints require valid JWT
  • Rate limiting on all endpoints
  • Input validation on all parameters

PII Detection

Quilon includes a built-in PII (Personally Identifiable Information) scanner that detects sensitive data in screenshots before sharing. It identifies 60+ patterns including:

  • Credit card numbers (with Luhn checksum validation)
  • Social security numbers, national IDs
  • IBAN, SWIFT/BIC codes (with ISO 7064 validation)
  • API keys (AWS, GitHub, Stripe, etc.)
  • Email addresses, phone numbers
  • Passwords and secrets in common formats

Detection uses OCR (Tesseract.js 5) combined with regex pattern matching and checksum validation to minimize false positives.

Vulnerability Disclosure

Responsible Disclosure Policy

If you discover a security vulnerability in Quilon, please report it responsibly to security@quilon.dev.

Reporting Guidelines

  • Don't: Post vulnerabilities publicly or in issues/comments
  • Do: Email detailed information to security@quilon.dev
  • Do: Allow us 90 days to fix and release a patch before public disclosure

Contact Us

For security concerns or questions, please contact:

Email: security@quilon.dev

Website: quilon.dev