Security & trust
The engineers behind taleseal have spent their careers securing UK critical national infrastructure. On those systems a security failure is a national story, not a bug ticket. A tale is a record people cite, so it gets the same discipline: every control on this page is live in the running service, and you can check most of them from your own terminal.
live in production · checkable with curl · no asterisks
Don’t take our word for it
curl -sI https://taleseal.comHSTS, a strict content-security policy and no-referrer, on every responsecurl https://taleseal.com/.well-known/security.txtour disclosure policy, machine-readable01The link is the only door
A tale’s address is unguessable. Guessing at the permitted request rate would take millions of years. There is no other way in: readers need no account, and no account can browse tales.
No public feed exists anywhere in the product. Every tale page tells crawlers not to index or archive it, and tells shared caches never to keep a copy.
Links inside a tale are followed with no referrer, so the tale’s own address is never handed to the sites it links to.
02The sealed record
There is no edit path: not in the API, not in the dashboard, not for us. A tale is worth citing because it cannot quietly change.
A publisher can retract a tale: its contents are destroyed at once and the address answers 410 Gone, permanently. The address is never reused, so a link can never start telling a different story.
A tale published with an expiry is deleted from the database when it lapses. Not hidden, deleted. That is the difference between a privacy feature and a privacy claim.
03Accounts and keys
A key is shown once, at the moment you mint it, then kept as a SHA-256 hash. We cannot recover it, display it again, or lose it in a database dump.
Passwords are hashed with scrypt, a memory-hard algorithm built to make bulk cracking expensive. Sign-in is rate limited per address and globally.
Publishing, viewing, sign-in and key minting are all rate limited. Dashboard actions are origin-checked, so another site cannot act as you.
04Infrastructure
The service runs on Fly.io, and error logs never contain tale content. Failures are correlated by request id, never by body.
All traffic is forced to HTTPS, with HSTS telling browsers never to try anything else.
Every response (pages, API, assets) carries strict security headers. This page ships zero JavaScript, and its own policy forbids any.
Error logs never contain tale content: failures are correlated by request id, never by body.
Sub-processors, all three of them
05Found a hole?
Report vulnerabilities by email, or read the machine-readable version at /.well-known/security.txt.
[email protected]