Content Security

What changed

Uploaded files are served from https://256t.us/{cid}. The UI, API, auth flows, dashboard, and SDK stay on https://hashbin.org.

Why this matters

Because 256t.us is a different browser origin, uploaded HTML, SVG, and JavaScript cannot read HashBin cookies, make authenticated API requests as the user, spoof the dashboard, or register service workers for the main application.

This is the same same-origin isolation pattern used by GitHub, Google Drive, and Discord for untrusted user files.

What 256t.us is

256t.us is run by the same operator as HashBin. It is a dedicated content sandbox that only serves raw uploaded files with strict response headers.

What this means for you

Use https://hashbin.org/api/ for API calls and https://256t.us/{cid} for file retrieval. Upload and metadata responses now include the content URL directly.