Skip to content

Security

Security and privacy at CUQ.IN

A short link is a redirect and a counter. This page is what that actually means: what we store, what we don't, what a click logs, and where to reach us when something looks wrong.

What we don't collect.

No cookies on the public site. Open the landing page, the API docs, the contact form, or click a short link: zero Set-Cookie headers, zero document.cookie writes. The only browser storage we touch is localStorage, and only two first-party keys land there. cuq_lang holds your UI language. cuqin-recents-focus holds the recent-links list on your own device. Neither leaves your browser.

No Google Analytics, no Plausible, no Matomo, no Meta pixel, no Hotjar, no Segment. No third-party scripts on any live page. No fingerprinting, no device graph, no cross-site tracking. When you click a short link we do not log your IP against that click, we do not store your user-agent, we do not record the referrer that sent you.

What we do collect, and why.

Five things, each tied to a job.

Your email, when you request an API key. Stored in api_keys.email. We use it to send you the key and to reach you if something breaks. A short-lived OTP goes to verification_codes for that verification step.

Your destination URL, when you shorten a link. Stored in short_urls.long_url exactly as you submitted it.

The creator IP, when a short link is made. Stored in short_urls.ip. This is for abuse forensics and rate-limit enforcement, not for the visitors who later click the link. Visitor IPs are never persisted.

Payment fields, only if you use /pay. Your name and email land on the order row (cuq_pay_orders.customer_email, customer_name). Card data never touches our servers. Paddle hosts the checkout and carries the PCI scope.

Contact form messages, delivered by email to our inbox and not written to the database. Your IP is included in that email for abuse handling, then it lives only in the mailbox.

How a short link resolves.

You click a cuq.in link. Your browser asks our server for the code. We look up the row and return an HTTP 302 to the destination. A 302 is a temporary redirect: your browser reads the Location header and goes there. That is the whole exchange.

We also send X-Robots-Tag: noindex, nofollow on the redirect response, so search engines do not index the short link or crawl the destination through it. If the code is missing, the API key is inactive, or the target domain is on our block list, we send you back to the homepage instead. Same 302, no error page that leaks the attempted URL.

The destination sees what any 302 shows: the origin, cuq.in. No path, no query string, no personal referrer from us. On our side, we bump visit_count on the row by one. No IP is stored against your click, no user-agent, no device fingerprint. The row's counter is the only trace.

Transport security.

Every request to cuq.in goes over HTTPS. The certificate is issued by Let's Encrypt and terminated at the Cloudflare edge, with TLS 1.3 as the negotiated protocol for any modern browser. There is no plain-HTTP fallback. Hit http://cuq.in and you get bounced to https:// before the redirect logic even runs.

We publish HSTS with max-age=15552000 (about 6 months). Once your browser has seen the header, it refuses to talk to cuq.in over HTTP for that window, even if you type the URL without the scheme. includeSubDomains and preload are off today, so the guarantee covers the apex host you actually use for short links.

Bad links, and what we do about them.

We keep a block list of known bad domains. When you try to shorten a link that hits the list, the request is refused at creation. The same list is checked at redirect time, so a domain added after a link was made stops resolving too, and the visitor lands on the CUQ.IN homepage instead of the destination. The list is curated by hand from abuse reports, not pulled from a paid feed.

If you spot a CUQ.IN link being used for phishing, malware, or a scam, mail [email protected] with the short URL and a short note on where you saw it. We review reports as fast as we can, disable the link, and add the destination domain to the block list when the pattern is clear.

GDPR and KVKK, in plain terms.

CUQ.IN is run as a personal project, not a company. That does not change your rights under the EU GDPR or Türkiye's KVKK. Both laws give you the right to see the data held about you, correct it, delete it, take a copy of it, or object to how it is used. To use any of these rights, mail [email protected] from the address tied to your API key and we act on the request within 30 days.

What we actually hold about you is small. An email address, if you asked for an API key. Visit counts on your short URLs, aggregated on the row, with no per-click user attribution. The IP that created a short URL, kept for abuse forensics. No cookies on the public site, no third-party analytics, no fingerprinting. Unused links may be removed after 2 years of no activity, on request or during periodic cleanup.

Reporting a security bug.

Found a security issue. Mail [email protected] with a short write-up and, ideally, a proof of concept. We reply within a few days, fix confirmed issues, and ask that you hold public disclosure for 90 days or until a fix ships, whichever comes first. There is no paid bug bounty, this is a personal project, but credit in the fix note is available on request. A machine-readable version of this contact lives at /.well-known/security.txt.