Server security and limits

Minimal server surface

The app intentionally keeps the server as light as possible. Information pages are statically generated at build time and do not load the CPU at runtime.

The only dynamic backend piece is WebSocket (Socket.IO) for real-time message relay.

Protective limits

• Up to 5 active channels created per IP address
• Rate limit: 3 room creation attempts per minute per IP
• WebSocket message size limit: 5 MB
• Automatic cleanup of empty rooms

Recommendations for users

Use strong room passwords. Do not publish passwords publicly — invite links contain both room name and password in the URL hash.

Anyone with the password can decrypt messages. Invite only people you trust.

No message content in logs

The backend does not write message content or chat events to application logs. WebSocket relays encrypted data without reading or archiving it.

Production logs (e.g. hosting panel) should not contain nicknames, passwords, chat content, or message metadata. Only critical app errors are logged, without chat data.