How Notexo Protects Your Notes
A comprehensive guide to the security measures built into Notexo to keep your notes safe, private, and under your control.
Bcrypt Password Hashing
Note passwords are hashed with bcrypt (salt factor 10) before storage. Even database administrators cannot read your passwords. Each note password is independently hashed.
Namespace Isolation
Private notes live in the @username namespace, completely isolated from public notes. Only the owner and explicitly shared users can access private content.
Granular Access Control
Share notes with specific users at view or edit permission levels. Set expiry dates on shared access. Revoke access instantly from your dashboard.
Share Link Controls
Create anonymous share links with view-only or edit permissions. Each link has a unique token. Links can be revoked instantly, and expired links are automatically hard-deleted.
TTL Auto-Deletion
Notes with expiry dates are permanently deleted by MongoDB's TTL index. No soft-delete, no recovery — the data is irrecoverably removed from the database.
Rate Limiting
All sensitive endpoints (login, registration, support, feedback) are rate-limited per IP or email to prevent brute-force attacks and spam.
Session Security
Notexo uses NextAuth.js with secure HTTP-only cookies for session management. Sessions are server-validated on every request. Google OAuth tokens are never stored client-side. CSRF protection is built into the authentication framework.
Data at Rest
All data is stored in MongoDB Atlas with encryption at rest enabled by default. Database connections use TLS encryption. Connection strings and API keys are stored in environment variables, never committed to source control.
Reporting Vulnerabilities
If you discover a security vulnerability in Notexo, please report it responsibly via the Support page. We take all reports seriously and will respond promptly.