← ShareMyPage

Security overview

ShareMyPage hosts arbitrary, user-supplied HTML and shares it inside a company. Security is a design-level requirement, not a feature bolted on afterwards. Here is exactly how it works.

Untrusted HTML is contained by isolation

Every page is served from a separate, cookieless content origin and embedded in a sandboxed <iframe> that runs scripts with a null origin — no access to cookies, local storage, or the app around it. The content origin never holds a session, so even a sandbox escape finds nothing to steal. The app shell itself runs under a strict Content-Security-Policy with frame-ancestors 'self'.

Strict tenant isolation

Every database read and write is scoped to the requesting member's workspace and authorized server-side — never trusting the client. Page links, share URLs, and stored files all use random, unguessable identifiers, so nothing is enumerable.

Verified identity, least-privilege access

Sign-in is Google OAuth. Domain auto-join and page invites key off the Google-verified email, never a typed string. Public email providers are blocked from domain auto-join. API tokens for the Claude/MCP integration are hashed at rest, shown once, revocable, and scoped to a single user and workspace.

Hardening & auditability

Passwords on protected pages are hashed with argon2 and rate-limited. Uploads, comments, password attempts, and token use are rate-limited. Uploads, edits, and visibility changes are written to an append-only audit log. Data is encrypted at rest, and all secrets live in managed environment variables.

Compliance posture

We rely on subprocessors that are each SOC 2 Type II certified (our hosting, authentication, and database providers). ShareMyPage v1 does not yet carry its own formal SOC 2 certification, but the controls an auditor checks — tenant isolation, least-privilege tokens, audit logging, encryption at rest — are built in, so certification is a later step rather than a rebuild. A DPA and SSO/SAML are available on request for larger deployments.

Questions about security or compliance? Reach out and we'll walk you through it.