Security & Privacy

Your files are yours. We're built around that principle.

HTTPS & TLS Encryption

Every connection to jpg.now is encrypted using TLS. Data in transit - Including your uploaded files - Is protected from interception. We enforce HSTS (HTTP Strict Transport Security) so browsers always connect securely, even if you type the address without https.

Automatic File Deletion

Files are never stored permanently. Guest uploads and their converted outputs are deleted within 24 hours. Files belonging to registered members are retained for up to 7 days for convenience, then deleted automatically. No file is ever archived beyond its retention window.

No Indexing or Public Listing

Files are stored under randomly generated, cryptographically unguessable names. We never publish directory listings, never index file contents, and never share files with third parties. Your upload is invisible to anyone who doesn't have the exact URL - Which we never share.

Technical details

A closer look at the security measures in our stack.

MIME Validation

Uploaded files are validated by both MIME type and file extension. Files that don't match our supported format allowlist are rejected before processing.

Rate Limiting

Conversion and upload endpoints are rate-limited per IP address to prevent abuse and protect service availability for all users.

Password Hashing: bcrypt

Account passwords are hashed using bcrypt with a work factor tuned for modern hardware. Plain-text passwords are never written to disk or logged.

CSRF Protection

All state-changing forms use CSRF tokens generated per-session. Requests without a valid token are rejected, protecting against cross-site request forgery attacks.

Responsible Disclosure

Found a vulnerability? Please contact us privately before public disclosure so we have a chance to investigate and patch the issue. We take all reports seriously and will acknowledge receipt promptly. See also our Privacy Policy and FAQ. Contact us here →