Trust

Security at Just Publish

Here's exactly how we protect your site and your data — and, just as importantly, what we don't claim. Everything below is something we can actually stand behind.

Our approach

Just Publish is deliberately simple, and that simplicity is part of what keeps it safe: we host static files — no servers running your code, no database behind your site. Below is exactly how we protect your site and your data. We only list things we can actually stand behind; we don't claim certifications or audits we don't have.

How your site is protected

Your edit key is the only key — and it's checked securely

When you publish a site, you get a private edit key that's the only thing needed to change that site later. We never store your edit key itself — only a one-way fingerprint of it — and when you use it, it's checked in a way designed to give away nothing about the real key. There's no password to leak and no login for an attacker to guess.

Published sites live on a separate domain from our own

Your published sites are served from justpublish.site, a completely separate domain from our brand and dashboard on justpublish.ai. Keeping them apart means that if one published site is ever misused, the problem is contained to the content domain and can't reach the accounts or dashboard side.

Everything is served over HTTPS

Your site, our dashboard, and our publishing endpoint are all served over an encrypted HTTPS connection by default, so traffic between your visitors and the site is protected in transit.

Uploaded files are strictly validated

Every file you publish is checked against strict path rules before it's stored, which blocks a whole class of attacks that try to use crafted file paths to escape your site's own space.

How your data is protected

Your site's files are backed up every day

We copy every published site's files into a separate backup store once a day, so there's a recent point-in-time copy to restore from. The information about your sites is stored on a platform that supports 30-day point-in-time recovery. Together, these give us a recent copy to restore from if a site is changed or lost by accident.

Stored data is encrypted at rest by our platform

Your site's files and the information about your sites are stored on Cloudflare's storage platform, which encrypts stored data at rest by default. This is a feature of the platform we build on, provided automatically.

Content is served with safe defaults

We serve pages with headers that tell browsers not to second-guess a file's type, which closes off a common way that a mislabeled file could be turned into something harmful.

Keeping the platform clean

Every publish is scanned for obvious abuse

When a site is published, we run an automated check for well-known phishing patterns and block the obvious cases before the files ever go live. Broader protection is handled upstream by our infrastructure provider's security tooling.

Anyone can report a problem site

Every published site has a built-in way to report abuse, so a bad site can be flagged and reviewed. You can also email us directly at abuse@just-done.ai.

What we don't claim

Being honest about our limits is part of security. Just Publish does not currently hold formal security certifications (such as SOC 2 or ISO 27001), and nothing on this page should be read as one. If you have a specific security or compliance requirement, tell us at hi@justpublish.ai and we'll give you a straight answer about whether we can meet it today.