Are files encrypted on FilePost?

Yes. All data in transit is encrypted with TLS 1.2 or higher, and files at rest are encrypted using Backblaze B2 server-side encryption (SSE-B2). There are no unencrypted connections at any point.

Can other users access my uploaded files through the API?

No. The list and delete API endpoints only return files uploaded with your API key. Each key is scoped to its own account with no shared access. However, CDN URLs are public, so anyone with the direct link can download the file.

Can I permanently delete files from FilePost?

Yes. Use the DELETE /v1/files/:id endpoint to permanently remove a file. The file is deleted from Backblaze B2 storage, the CDN cache is purged, and the database record is removed. The deletion is irreversible.

How FilePost Keeps Your Files Secure: Infrastructure and Practices

April 3, 2026 · 10 min read

When you upload a file to a third-party API, you are trusting that service with your data. That is a reasonable concern, and it is one that deserves a transparent answer. This article explains every layer of security in FilePost's infrastructure, from how files travel over the network to where they are stored, who can access them, and how you can delete them permanently.

This is not a marketing page with vague claims about "enterprise-grade security." It is a concrete, technical breakdown of the tools and practices that protect your files.

HTTPS Everywhere

Every connection to FilePost is encrypted with TLS. There are no exceptions and no fallbacks to plain HTTP.

API traffic: All requests to filepost.dev/v1/* are served over HTTPS with TLS 1.2 or higher. HTTP requests are redirected to HTTPS automatically.
CDN delivery: Files served from cdn.filepost.dev use HTTPS. When you share a file URL, recipients access it over an encrypted connection.
Certificate management: TLS certificates are managed automatically through Cloudflare, eliminating the risk of expired or misconfigured certificates.

This means that when you upload a file, the data in transit is encrypted between your application and FilePost's servers. When someone downloads the file using the CDN URL, that transfer is also encrypted. At no point does file data travel over an unencrypted connection.

Authentication: API Key Model

FilePost uses API key authentication for all operations. Every request must include your API key in the X-API-Key header:

curl -X POST https://filepost.dev/v1/upload \
  -H "X-API-Key: your_api_key_here" \
  -F "file=@document.pdf"

Here is how the API key system works:

One key per account. Your API key is generated when you sign up and is tied to your email address. All uploads, file listings, and deletions are scoped to your key.
Key validation on every request. The API server checks the key against the database before processing any operation. Invalid or missing keys receive a 401 response immediately.
Keys are stored hashed. API keys are hashed before being stored in the database. Even if the database were compromised, the raw keys could not be extracted.
No shared access. Each API key can only access files uploaded with that same key. There is no way for one user to list, view, or delete another user's files through the API.

Best practices for API key management

Store your API key in environment variables, not in source code.
Never include your API key in client-side JavaScript for production applications. Use a server-side proxy (see our React and Next.js guide for examples).
If you suspect your key has been compromised, contact support for a key rotation.

Storage: Backblaze B2 with Redundancy

FilePost stores all uploaded files on Backblaze B2, an enterprise-grade object storage service. Backblaze was chosen for its combination of reliability, durability, and cost efficiency.

Durability

Backblaze B2 provides 99.999999999% (eleven nines) annual durability. This means that if you store 10 million files, you can statistically expect to lose less than one file every 10,000 years. Files are replicated across multiple drives and multiple servers within the data center.

Availability

Backblaze guarantees 99.9% availability for B2 storage. In practice, B2 has maintained higher uptime than this SLA. FilePost further improves availability by serving all file downloads through Cloudflare's CDN, which caches files at 300+ edge locations worldwide. Even if B2 experiences a temporary outage, cached files continue to be served from Cloudflare's edge.

Isolation

All FilePost user files are stored in a dedicated B2 bucket with server-side encryption. Files are organized by a hashed directory structure that prevents enumeration. Knowing one file's URL does not reveal the location or existence of any other file.

CDN: Cloudflare Network and DDoS Protection

Every file uploaded to FilePost is delivered through Cloudflare's global CDN network. This provides two critical benefits: performance and protection.

Performance

300+ edge locations across six continents. Files are cached close to the end user, regardless of where they were uploaded.
Automatic caching. After the first request, files are served directly from Cloudflare's edge without hitting the origin server. This means sub-50ms response times for cached files in most regions.
Unlimited bandwidth. All FilePost plans include unlimited bandwidth with no egress fees. Cloudflare's network handles traffic spikes without throttling or surcharges.

DDoS Protection

Cloudflare automatically mitigates DDoS attacks at the network edge. This is not an add-on feature; it is built into every Cloudflare plan. For FilePost, this means:

Volumetric attacks (flooding with traffic) are absorbed by Cloudflare's network before reaching the origin.
Application-layer attacks are filtered using Cloudflare's WAF (Web Application Firewall) rules.
The origin server's IP address is never exposed to the public internet, preventing direct attacks that bypass the CDN.

This architecture means that even if someone attempts to take FilePost offline, the CDN layer absorbs the attack while legitimate requests continue to be served from cached edge locations.

File Access Model: Public URLs with Unguessable Paths

FilePost generates public CDN URLs for uploaded files. This means anyone with the URL can access the file, similar to how an "unlisted" YouTube video works. The security model relies on the unguessability of the URL path.

Here is how file URLs are structured:

https://cdn.filepost.dev/file/filepost/uploads/a1/a1b2c3d4e5f6.pdf

The file path contains a unique, randomly generated identifier. These IDs are long enough that brute-force enumeration is computationally infeasible. There is no sequential numbering, no predictable pattern, and no directory listing.

When this model is appropriate

Publicly shared files: documents, images, downloads, assets that are meant to be accessed via a link.
Application assets: user avatars, uploaded media in a CMS, file attachments in a support system.
Temporary shares: files that will be shared with specific people via a direct link.

When to add your own access control

If your application requires authenticated file access (for example, only logged-in users can download a file), you should implement that access control in your own application layer. One common pattern: store the FilePost URL in your database, and only return it to authenticated users through your own API. The FilePost URL itself remains accessible, but only your app knows what it is.

No File Type Restrictions, Isolated Storage

FilePost accepts any file type: images, PDFs, documents, archives, binaries, configuration files, database exports, and anything else you need to host. There is no whitelist or blacklist of allowed file extensions.

The reason this is safe is storage isolation. Uploaded files are stored as inert objects in Backblaze B2 and served as static downloads through Cloudflare. They are never executed, parsed, or processed on the server. A file with a .exe extension is treated the same as a .txt file: it is stored and served, nothing more.

This is fundamentally different from a traditional web server where uploaded files might be executed (for example, a PHP file in a web root). FilePost's architecture eliminates this entire class of vulnerability because files never enter an execution context.

Data Deletion API

You can permanently delete any file you have uploaded through the API:

curl -X DELETE https://filepost.dev/v1/files/a1b2c3d4e5f6 \
  -H "X-API-Key: your_api_key_here"

When you delete a file:

The file is removed from Backblaze B2 storage.
The CDN cache is purged, so the URL stops working.
The file record is removed from the FilePost database.
The deletion is permanent and cannot be undone.

This gives you full control over your data lifecycle. If a user requests deletion of their data, or if you need to remove a file for any reason, a single API call handles it completely.

Listing files before deletion

To see all files associated with your account:

curl https://filepost.dev/v1/files \
  -H "X-API-Key: your_api_key_here"

This returns a JSON array with each file's ID, URL, and size. You can use this to audit your uploaded files or build a bulk deletion script:

import requests

API_KEY = "your_api_key_here"
BASE = "https://filepost.dev/v1"

# List all files
files = requests.get(f"{BASE}/files", headers={"X-API-Key": API_KEY}).json()

# Delete all files (use with caution)
for f in files:
    requests.delete(f"{BASE}/files/{f['file_id']}", headers={"X-API-Key": API_KEY})
    print(f"Deleted: {f['file_id']}")

Payment Security: Stripe Integration

FilePost uses Stripe for all payment processing. This means:

No credit card data touches FilePost servers. Card numbers, CVVs, and billing details are submitted directly to Stripe through their secure checkout page. FilePost never sees, stores, or processes raw payment information.
PCI DSS compliance. Stripe is a Level 1 PCI Service Provider, the highest level of certification in the payment card industry. By using Stripe's hosted checkout, FilePost inherits this compliance without handling sensitive card data.
Subscription management. Plan upgrades, downgrades, and cancellations are handled through Stripe's billing portal. Your billing information is managed entirely within Stripe's secure infrastructure.

The free tier requires no payment information at all. You can sign up with just an email address and start uploading immediately.

Disposable Email Blocking

To prevent abuse of the free tier, FilePost blocks signups from disposable email services (like Mailinator, Guerrilla Mail, and similar throwaway providers). This serves multiple security purposes:

Prevents abuse. Without this protection, a single person could create unlimited free accounts using throwaway emails, bypassing the 30-upload monthly limit.
Maintains service quality. Abuse from throwaway accounts can degrade performance for legitimate users. Blocking disposable emails keeps the free tier sustainable.
Reduces spam uploads. Throwaway accounts are frequently used to upload spam or phishing content. Requiring a real email address adds accountability.

The disposable email check happens at signup time. If you are using a legitimate email provider that is incorrectly flagged, contact support for a manual review.

Infrastructure Summary

Here is a complete overview of the security layers in FilePost's architecture:

Layer	Technology	What it protects
Transport encryption	TLS 1.2+ via Cloudflare	Data in transit (uploads and downloads)
Authentication	Hashed API keys	Unauthorized access to upload/list/delete operations
File storage	Backblaze B2 (11 nines durability)	Data loss and corruption
CDN and DDoS	Cloudflare (300+ PoPs)	Denial of service attacks, slow delivery
File isolation	Static object storage	Remote code execution via uploaded files
URL security	Random, unguessable file paths	Unauthorized file enumeration
Payment processing	Stripe (PCI Level 1)	Credit card data exposure
Abuse prevention	Disposable email blocking	Free tier abuse and spam uploads
Data deletion	DELETE API endpoint	Unwanted data retention

Secure File Hosting, Simple API

FilePost gives you 300 free uploads per month with HTTPS, CDN delivery, and Backblaze B2 redundancy. No credit card required.

Get Your Free API Key

Frequently Asked Questions

Can other users access my files?

Not through the API. The list and delete endpoints only return files uploaded with your API key. However, the CDN URLs themselves are public: anyone with the link can download the file. If you need authenticated access, implement that in your application layer.

Are files encrypted at rest?

Backblaze B2 encrypts all stored objects using server-side encryption (SSE-B2). This protects against physical drive theft or unauthorized access to the storage hardware.

What happens if Backblaze goes down?

Files that have already been accessed at least once are cached on Cloudflare's edge network. During a B2 outage, cached files continue to be served normally. New uploads would be temporarily unavailable until B2 recovers.

Can I delete all my data?

Yes. Use the list endpoint to get all your file IDs, then call the delete endpoint for each one. You can also contact support for a full account deletion, which removes your account, API key, and all associated files.

Is FilePost GDPR compliant?

FilePost stores minimal personal data (email address and hashed API key). Files can be deleted on demand through the API. For users who need complete data erasure, account deletion removes all stored data, files, and account records.

Do you scan uploaded files?

FilePost does not scan or inspect file contents. Files are stored and served as-is. The platform is designed for developers who need file hosting infrastructure, not for consumer file sharing with content moderation.

Pricing Tiers

All security features described in this article are included on every plan, including the free tier:

Free: 300 uploads/month, 50MB max file size, 2GB storage, unlimited bandwidth
Starter ($9/mo): 5,000 uploads/month, 200MB max file size
Pro ($29/mo): 25,000 uploads/month, 500MB max file size

There are no separate security tiers. HTTPS, CDN delivery, Backblaze B2 storage, DDoS protection, and the data deletion API are available to every user.

Get your free API key

You're in!