Security

myhtml hosts pages anyone can publish in seconds — so safety is built into how the platform works, not bolted on. Here's plainly what we do to keep your sites, your visitors, and your data protected.

Your sites are isolated & sandboxed

Every page we serve is scoped to its own site. When the edge serves your HTML it injects a short-lived, origin-bound site token — it lives for about 15 minutes, is minted fresh per request, and can only read and write yoursite's data. The backend verifies that token on every call and scopes everything to your site, so one site can never reach into another's database or files.

  • No API keys in your page.Your secret API key never touches the HTML you publish — the page only ever holds the scoped, expiring site token, so there's nothing for a visitor to steal and reuse.
  • Per-site data isolation. Your mh.dbcollections, key-value data, and uploaded files all live under your site's own identity. Per-visitor data is keyed to an anonymous visitor id so visitors can't read each other's private state either.
  • Strict security headers. Served pages set a Content-Security- Policy, X-Content-Type-Options: nosniff, Referrer-Policy: strict-origin-when-cross-origin, and frame-ancestors / base-urirestrictions. We also guard against path-traversal so a request can never escape your site's storage.

The site token is the same “zero-config” magic that makes window.mh just work — see the docs.

Every site is HTTPS

Sites are served over HTTPS with free, automatic TLS — there's nothing to configure and no certificate to buy or renew. Your pages and the data they exchange with the backend are encrypted in transit, and they run on Cloudflare's global edge network, so they load fast wherever your visitors are.

We screen what gets published

Every deploy runs through an automated safety scan before it can go live. A fast, deterministic check looks for the hallmarks of abuse — credential-harvesting login forms that impersonate real brands, known crypto-wallet-drainer signatures, heavily obfuscated scripts, and embedded executables. Riskier deploys can get a second look from an AI reviewer working to a strict content-safety rubric.

  • Hard blocks. Clear phishing, malware, or wallet-drainer content is rejected outright at deploy time — it never publishes.
  • A checked “slow lane” for free sites.Free deploys must pass the scan before the edge serves them. It usually takes well under a minute; while a site is being reviewed, visitors see a brief “being reviewed” placeholder instead of unvetted content.
  • Suspended sites are taken down. If a site is found to violate our acceptable-use policy, it stops serving and visitors get a clear takedown notice (an HTTP 451 tombstone) explaining the page is unavailable.

Genuine apps, games, demos, portfolios, and forms that collect their own data are safe and publish normally. What's and isn't allowed is spelled out in our Terms.

Abuse reporting & takedown

Every free site carries a small report link, right next to the “made with myhtml” badge, so anyone who lands on a bad page can flag it in one click. Reports go to our /report form, where you can tell us what's wrong — phishing, malware, illegal content, copyright, spam, or anything else.

We review reports and remove sites that break our rules. You can also email us directly at hello@myhtml.io, including for intellectual-property complaints.

Rate limits & quotas

The backend protects itself — and you — with rate limits on every request. We throttle on two independent budgets: a per-site limit, and a separate per-visitor limit. That means a single noisy or malicious visitor can't exhaust your whole site's budget, and a busy site can't be taken down by one abusive browser. Requests over the limit get a clear 429 with a Retry-After hint.

AI calls are capped, too. The mh.ai feature is off by default. When you turn it on, calls run through a metered proxy with a daily cap you set per site, so a page that goes viral can't drain your credits — once the cap is reached, further calls are declined until the next day. There are also request-size and message-count limits to block abusive payloads.

Your data, your control

You own everything you publish, and you can take it down at any time from your dashboard.

  • Delete anytime. Delete a site and it stops being served immediately, and its stored files and uploads are purged from object storage (Cloudflare R2) shortly after.
  • Private sites.On paid plans you can mark a site private so it isn't publicly viewable. Private visibility is enforced on the server, not just hidden in the UI.

How we handle personal information — including encryption in transit, scoped access tokens, and breach notification — is covered in our Privacy Policy.

Found a vulnerability?

Responsible security research is welcome. If you think you've found a vulnerability, please tell us first at hello@myhtml.io and give us a reasonable chance to fix it before disclosing it publicly. Please don't access other users' data or disrupt the Service while testing.

Ship something safe in seconds

Drop a file, get a site — with isolation, HTTPS, and screening baked in.

Start free →