Security
We take the security of your data and the safety of QR code end-users seriously. Here is an overview of the measures we have in place.
Encryption in transit
All traffic between your browser and qr-manager.ai servers is encrypted using TLS 1.2 or higher. We enforce HTTPS across all endpoints.
Hashed passwords
Passwords are hashed with bcrypt at cost factor 12 before storage. We never store passwords in plaintext or in any reversible form.
Rate limiting
All authentication and abuse-report endpoints are rate-limited per IP to prevent brute-force and credential-stuffing attacks.
CAPTCHA protection
Login and signup forms are protected by Cloudflare Turnstile to block automated bot traffic without friction for real users.
Email verification
All new credential accounts must verify their email address before gaining access, reducing account takeover risk.
Hashed API keys
API keys are hashed before storage using a one-way function. After initial creation, the plaintext key is never retrievable from our systems.
Automated backups
Our database is backed up automatically on a daily schedule with encrypted, off-site storage to support disaster recovery.
Two-factor authentication
Users can enable TOTP-based two-factor authentication on their account for an additional layer of protection against unauthorized access.
URL safety screening
Destination URLs are checked against the Google Web Risk API before being served to scanners. Links flagged as malicious are blocked at the redirect layer.
Scan password protection
QR codes can be individually password-gated so that only scanners who enter the correct passphrase are forwarded to the destination URL.
Audit logging (Enterprise)
All sensitive account actions — QR code changes, API key creation, member management, and settings updates — are logged with actor identity, IP address, and timestamp.
SSO / SAML 2.0 (Enterprise)
Enterprise accounts can enforce single sign-on via SAML 2.0, centralizing authentication through your organization's identity provider and eliminating local password risk.
Found a security vulnerability? Please disclose it responsibly by emailing legal@qr-manager.ai rather than filing a public issue. We appreciate responsible disclosure.
Report Abuse
If you have encountered a qr-m.app short link that redirects to malicious, fraudulent, or otherwise harmful content, please let us know using the form below. We review all reports within 24 hours and take appropriate action, including immediate link deactivation where warranted. You can also email abuse@qr-manager.ai directly.