Agent-readable docs index: /llms.txt. Full docs in one file: /llms-full.txt. Download /docs.zip to grep all markdown files locally.
Security & Acceptable Use
Security
HTTPS
All Dropley URLs, including artifact pages, are served over HTTPS. TLS is enforced at the edge.
Content Security Policy
Dropley applies strict Content Security Policy (CSP) headers to published artifacts. These restrict which resources (scripts, styles, images) the page can load.
No User Accounts
Dropley does not collect or store personal data. There are no accounts, passwords, or sessions. Your artifact token is the only credential for managing your artifact.
Abuse Protection
Dropley uses:
Rate limiting to prevent API abuse (per-endpoint, IP-based with HMAC-hashed identifiers)
WAF rules at the edge for common attack patterns
IP-based throttling with daily rotating HMAC-SHA256 hashing — no raw IPs stored
Abuse detection: Failed authentication attempts are tracked per identifier; after a configurable threshold, the identifier is temporarily blocked
Path traversal protection: Absolute paths, .. traversal, hidden files, and deep nesting are rejected
File type whitelist: Only allowed extensions (HTML, CSS, JS, images, fonts) are accepted
Origin isolation: Published artifacts are served with Cross-Origin-Opener-Policy: same-origin and Cross-Origin-Resource-Policy: same-origin
No iframing: frame-ancestors: 'none' prevents embedding in third-party sites
Data Deletion
When an artifact expires, all associated files and metadata are permanently deleted. No backups are retained.
Acceptable Use
What You Can Publish
Any static content that complies with applicable laws. Examples include:
Personal projects and portfolios
Design previews and prototypes
Documentation pages
Educational content
Open-source project demos
What You Cannot Publish
Illegal content: Anything that violates applicable laws
Malware or exploits: Files designed to harm systems or users