How secure are your previews?

If you password-protect a preview, your designs sit behind that password. They cannot be reached by guessing the link or poking at the address. Here is exactly what protects them, in plain English, and the deliberate ways a preview can still be opened without the password.

The short answer

No one can reach your designs by guessing the link or tampering with the URL. Every page and every file behind a password-protected preview is held back until the correct password is entered. There is no hidden back door, and previews are kept out of search engines entirely.

What protects your designs

  • Everything is behind the password, not just the front page. Images, fonts and the page itself are all held back until the password is entered. There is no separate file address that skips the gate.
  • The password is never stored in readable form. It is kept only as a one-way scrambled fingerprint, so even the underlying system never holds the password you set.
  • The unlocked state is signed, so it cannot be faked. Once a client enters the password, their unlocked session is cryptographically signed. It cannot be guessed, forged or copied to another device, and it asks again after 7 days.
  • Search engines cannot see them. Previews are marked private and crawlers are blocked, so your designs never show up in Google or any other search engine.
  • Nothing is cached publicly, and each client is isolated. Unlocked content is never stored in a shared cache, and one client's files can never be reached from another client's preview.

Are there ways to view without the password?

Only the deliberate ones you control. None of these are a way around the lock, they are choices you make:

  1. A no-password share link. If you send a share link, it opens the preview without typing the password. It is a convenience for quick sign-off, and you can revoke it at any time.
  2. The preview is set to public. Public previews have no password by default. New previews are password-protected unless you change that.
  3. Someone is given the link and the password. Anyone a person chooses to forward both to can view it. That is true of any password, anywhere.
Good to know

Anyone who can view a preview can screenshot or save what is on their screen. Password protection controls who gets in, not what a legitimate viewer does once they are looking at it. No web-based tool can prevent that, and any vendor claiming otherwise is overselling.

What you control

  • Password protection on or off. A single toggle per preview, on by default for new work. Keep it on for anything client-confidential.
  • Revoke a share link. If a no-password link gets out, revoke it and it stops working immediately. Existing unlocks are cut off too.
  • See when a client opens it. Open tracking tells you the moment a preview is viewed, so you always know who saw what and when.

For the technically minded

  • Previews are served from a separate, isolated system to the main app, with content never readable except through the password gate.
  • Passwords are stored only as a salted one-way hash with deliberately slow, repeated hashing, which makes guessing impractical even if the stored data were ever exposed.
  • Unlocks are signed and bound to the specific preview, so they cannot be forged or replayed against another project.
  • Repeated wrong guesses are rate-limited per visitor, on top of the slow hashing, so a weak password still cannot be brute-forced.
  • All preview responses are marked no-index and no-store, so they are never indexed by search engines or held in a shared cache.

Want a quick rule of thumb for clients? If the preview shows a password screen, it is private. The only ways in are the password, a share link you chose to send, or you setting it public, and you can change or revoke any of those whenever you like.