Security

Security is built into Apasaja Flipbook Studio from the first upload to the last page view. Here's an overview of how we keep things safe.

Every upload is scanned

Before a flipbook is published, its PDF runs through layered checks: a heuristic analysis for risky constructs (embedded files, launch actions, JavaScript), an optional ClamAV antivirus pass, and an optional VirusTotal multi-engine lookup. Anything flagged as malicious is rejected automatically.

Files are never executed

Uploaded documents are processed only to generate page images and thumbnails. They are stored outside the public web root and served through authenticated, same-origin routes — never run as code.

Private by default

• Visibility controls — flipbooks are private until you choose to make them unlisted or public.
• Password protection — add a password to any flipbook.
• Embed restrictions — limit which domains may embed your flipbook.
• No watermarks, no ads — your content stays yours.

Account and platform security

• Passwords are stored only as strong one-way hashes.
• Forms are protected against cross-site request forgery (CSRF).
• A strict Content Security Policy limits what can run in the viewer.
• API access uses personal keys that are stored hashed and can be revoked anytime.

Responsible disclosure

Found a vulnerability? We appreciate responsible disclosure. Please contact us with details, and give us reasonable time to investigate and fix the issue before any public disclosure.

---

For how we handle personal data, see our Privacy Policy.