verified Security Transparency Report

Security & Anti-Quishing

qr3.app is purpose-built to be a safe QR code platform. This page explains how we protect end users from QR code phishing attacks (Quishing) and the technical measures we have in place.

What is Quishing?

Quishing (QR + phishing) is the use of QR codes to direct users to malicious websites. Because URLs in QR codes are not visible to the human eye, attackers use them to bypass email filters, bypass security awareness training, and exploit users' trust in physical media.

Our Multi-Layer Protection

URL Scanning at Creation

Every URL submitted to qr3.app is checked against Google Web Risk API before the QR code goes live. Malicious URLs are rejected.

Active

sync

Continuous Re-Scanning

All active QR codes are re-scanned every 24h to catch URLs that become malicious after creation. Compromised codes are automatically paused.

Active

bolt

Real-Time Validation API

Enterprise customers can integrate our Anti-Quishing API (POST /v1/scan/validate) into their QR scanner apps, email gateways, or print workflows.

Enterprise

flag

Abuse Reporting

Any user can report a suspicious QR code via POST /v1/report. Reported codes trigger immediate manual review and temporary suspension.

Active

lock

Redirect Transparency

The redirect worker adds a X-QR3-Scan-Status: safe header to all responses, so security tools can verify a QR code was scanned clean.

Active

public

Cloudflare Edge Protection

All traffic routes through Cloudflare's WAF, DDoS protection, and Bot Management. 300+ locations worldwide with sub-10ms latency.

Active

Threat Coverage

Threat Type	Detection	Response
Malware download links	Google Web Risk	Rejected + re-scan
Phishing / social engineering	Google Web Risk	Rejected + re-scan
Unwanted software	Google Web Risk	Rejected at creation
Domain spoofing	Reports + manual review	Code suspended
Post-creation compromise	24h re-scan cron	Auto-paused, webhook

GDPR & Privacy

Security scanning does not compromise end-user privacy. We never store raw IP addresses. All scan analytics use SHA-256 hashed IPs with a daily rotating salt. See our Privacy Policy for full details.

Responsible Disclosure

If you discover a security vulnerability in qr3.app, please report it to [email protected]. We follow a 90-day responsible disclosure policy.

Report a Suspicious QR Code

POST https://qr3.app/v1/report
Content-Type: application/json

{ "short_code": "r7f3Kx", "reason": "phishing" }

Or email [email protected] with the QR code URL.

Last updated: March 2026 | Ostheimer OG