Security

glance.sh is designed to be ephemeral. Images are temporary, storage is private, and data is automatically deleted. Here is how we protect your uploads.

Private storage

All uploads are stored in a private Vercel Blob store. Blobs are never publicly accessible. Every request is validated and streamed through the application, which checks expiry before serving any content.

Encryption at rest

Every image is encrypted in your browser before it leaves your device. The encryption key is derived from the share token embedded in the URL, so only someone with the exact link can decrypt the image. The server and blob store never see plaintext image data.

Automatic expiry & deletion

Every upload is assigned a short-lived token that expires within 30 minutes. After expiry, the image can no longer be accessed. Expired blobs are permanently deleted shortly after expiration.

No accounts, no tracking

glance.sh does not require sign-up, does not set cookies, and does not collect personal information.

Link security

Uploaded images are only accessible via a URL with an embedded unique token, generated and displayed once. Each token is created using node:crypto with over 768 quadrillion possible combinations. Only someone with the exact link can access an image, and only before it expires.

Infrastructure

glance.sh runs on Vercel with TLS everywhere. All traffic between your browser, the application, and storage is encrypted in transit.

Reporting issues

If you discover a security vulnerability or have concerns, contact security@modem.dev.

Sub-processors

The following third-party services process data on our behalf:

• Vercel — hosting, edge network, and blob storage
• Upstash — Redis for live-session coordination

Last updated: March 2026