Security at Just Publish
Here's exactly how we protect your site and your data — and, just as importantly, what we don't claim. Everything below is something we can actually stand behind.
Our approach
Just Publish is deliberately simple, and that simplicity is part of what keeps it safe: we host static files — no servers running your code, no database behind your site. Below is exactly how we protect your site and your data. We only list things we can actually stand behind; we don't claim certifications or audits we don't have.
How your site is protected
Your edit key is the only key — and it's checked securely
When you publish a site, you get a private edit key that's the only thing needed to change that site later. We never store your edit key itself — only a one-way fingerprint of it — and when you use it, it's checked in a way designed to give away nothing about the real key. There's no password to leak and no login for an attacker to guess.
Published sites live on a separate domain from our own
Your published sites are served from justpublish.site, a completely separate domain from our brand and dashboard on justpublish.ai. Keeping them apart means that if one published site is ever misused, the problem is contained to the content domain and can't reach the accounts or dashboard side.
Everything is served over HTTPS
Your site, our dashboard, and our publishing endpoint are all served over an encrypted HTTPS connection by default, so traffic between your visitors and the site is protected in transit.
Uploaded files are strictly validated
Every file you publish is checked against strict path rules before it's stored, which blocks a whole class of attacks that try to use crafted file paths to escape your site's own space.
How your data is protected
Your site's files are backed up every day
We copy every published site's files into a separate backup store once a day, so there's a recent point-in-time copy to restore from. The information about your sites is stored on a platform that supports 30-day point-in-time recovery. Together, these give us a recent copy to restore from if a site is changed or lost by accident.
Stored data is encrypted at rest by our platform
Your site's files and the information about your sites are stored on Cloudflare's storage platform, which encrypts stored data at rest by default. This is a feature of the platform we build on, provided automatically.
Content is served with safe defaults
We serve pages with headers that tell browsers not to second-guess a file's type, which closes off a common way that a mislabeled file could be turned into something harmful.
Keeping the platform clean
Every publish is scanned for obvious abuse
When a site is published, we run an automated check for well-known phishing patterns and block the obvious cases before the files ever go live. Broader protection is handled upstream by our infrastructure provider's security tooling.
Anyone can report a problem site
Every published site has a built-in way to report abuse, so a bad site can be flagged and reviewed. You can also email us directly at abuse@just-done.ai.
What we don't claim
Being honest about our limits is part of security. Just Publish does not currently hold formal security certifications (such as SOC 2 or ISO 27001), and nothing on this page should be read as one. If you have a specific security or compliance requirement, tell us at hi@justpublish.ai and we'll give you a straight answer about whether we can meet it today.