A private event album often uses a share link because guests will not create accounts. That improves participation and moves the security boundary into the URL. The design must assume links are copied into group chats, photographed from signs, saved by browser history, and opened on shared devices.
Identify the assets and actors
Assets include original media, captions, contributor names, voice messages, moderation state, and export archives. Actors include invited guests, the host, suppliers, accidental recipients, automated scanners, and a person who receives an old device.
“Anyone with the link” is not an actor definition. It is an authorization rule with predictable leakage paths.
Separate upload and viewing authority
A QR code displayed in a venue may need to permit contribution without granting access to every existing file. Use distinct capabilities for upload, gallery viewing, moderation, and export. If one link does everything, a photograph of the sign becomes an administrator credential.
Capability tokens should be random, long enough to resist guessing, and stored hashed where practical. Avoid meaningful event names or sequential IDs as the secret part of the URL.
Plan for referrer leakage
If an album page loads third-party images, analytics, or outbound links, the full URL can appear in a Referer header unless policy prevents it. Set a restrictive referrer policy and keep capability tokens out of query strings used by third-party scripts.
Do not place secrets in page titles, Open Graph metadata, or client-side error reports. Messaging previews may fetch and cache those fields automatically.
Treat scanners as normal traffic
Email security products and chat applications may open links before a person does. A GET request must not consume a one-time capability, approve an action, or close an event. State changes require an explicit, protected request.
Rate limiting should tolerate harmless preview fetches while still detecting enumeration and high-volume scraping.
Add host-controlled rotation
The host needs to rotate a leaked share link without deleting the album. New tokens should become active immediately, and old ones should expire after a deliberate overlap or at once for an incident.
Record which printed materials and scheduled messages contain the old code. Rotation without an inventory can lock out legitimate guests or leave the compromised route in circulation.
Reduce exposure on shared devices
Avoid long-lived authentication in local storage for public guest links. Offer a clear sign-out or “forget this album” action when viewing authority is stronger than upload authority. Sensitive albums may require an additional event code that is not printed next to the QR symbol.
Browser history is difficult to control. Keep route names neutral and avoid rendering sensitive thumbnails before access is established.
Model closure and deletion
An event end date should change authorization behavior. Upload authority can close while view access remains for review. Export links should be short-lived and independently revocable. Deleted media should disappear from derivatives and caches, not only the database row.
Test the uncomfortable paths
Copy the link into a different browser profile, open it through a messaging preview, inspect network referrers, attempt old tokens after rotation, and load cached image URLs after removal. A threat model becomes useful when it produces tests.
I help build Gathmo and have a commercial interest in this area. The Gathmo product principles provide context for our approach, but the share-link threats described here are common to many private collaboration tools.
A share link is a credential. Design its scope, lifetime, leakage controls, rotation, and evidence with the same care as any other authorization mechanism.
Top comments (0)