Every hurl.page drop lives on an unguessable subdomain, and anyone holding the link can view it. That sentence makes some security teams twitch — so let's do the actual arithmetic on what "unguessable" means, and be honest about where it stops.
The claim
Slugs look like vast-juice-c2dse08p: two words drawn from curated lists, plus an 8-character base36 tail minted from a CSPRNG. There's no public index, no directory page, and no sequential IDs to walk. Possession of the URL is the credential.
Doing the math
- The word pair: 939 × 2,108 ≈ 2 million combinations — about 21 bits
- The tail: 368 ≈ 2.8 × 10¹² — about 41 bits
- Together: ~62 bits, roughly 4.6 × 10¹⁸ possible slugs
Suppose someone targets one specific drop and fires a million guesses per second — every one a full HTTPS request. The expected time to a hit is north of 70,000 years. Spraying for any drop doesn't help much either: even with millions of live drops, the space is so sparse that the expected effort per hit stays in the billions of billions of requests. And each guess buys exactly one page, not a foothold — there's nothing to enumerate from a found drop.
What 62 bits buys you
- Unlisted, not public. Crawlers only find what's linked somewhere — we never list drops anywhere, so the only people who can find yours are the ones you gave it to.
- Origin isolation. User content serves exclusively on
*.hurled.page, each drop on its own subdomain — never on the origin that holds your session. - A shrinking window. Free drops expire after 7 days, so a link that leaks usually points at a 410 within the week.
Where it stops
A link is a bearer token. It forwards, it screenshots, it lands in browser histories and Slack search indexes. For review artifacts that's fine — the blast radius of a leak is a coverage report. For regulated data, it's not. If a leaked URL would be an incident, put the page behind your SSO and use a different tool. We'd rather be clear about that boundary than blur it.
Password-protected drops are on the roadmap for the cases in between. Until then, the rule of thumb is simple: hurl what you'd paste in a company-wide channel, and nothing you wouldn't. For the story of why the whole product works this way, start with the launch post.