Security

WaitToUnlock asks you to trust it with something sensitive: your Screen Time passcode. I take that seriously. Here's plainly how your passcode is protected.

Your passcode is encrypted at rest

Your passcode is never stored in plain text. It's encrypted with Fernet (AES-128 in CBC mode, with an HMAC-SHA256 signature to detect tampering) before it's saved. The encryption key is derived from a secret using PBKDF2-HMAC-SHA256 with 480,000 iterations, which meets current OWASP guidance.

It's only decrypted at the moment you reveal it

The passcode stays encrypted the entire time it sits in the database. It is only decrypted server-side, for a single response, at the exact moment you choose to reveal it after the countdown ends. It is never decrypted "just in case."

Passcodes and keys are never logged

Plaintext passcodes, encryption keys, and secrets are never written to logs, printed, or exposed in error messages. There is no analytics or third party that ever sees your passcode.

We collect as little about you as possible

WaitToUnlock keeps the data it holds to the bare minimum needed to run the service: your email address, when your account was created, whether you have lifetime access, and your encrypted passcode. There's no tracking profile, no selling of data, and you can delete your account and everything tied to it at any time.

You're the only one who can reach your data

All database access happens server-side. Your browser never talks to the database directly. Every request is authenticated with a Firebase ID token verified on the server, and every action is authorised so you can only ever read or change your own passcode, never anyone else's.

The connection and your session are locked down

Traffic is served over HTTPS with HSTS enforced. The app sets a strict Content Security Policy and standard protective headers (X-Frame-Options: DENY, X-Content-Type-Options: nosniff, a strict referrer policy). Sessions are stored server-side, and session cookies are HttpOnly with SameSite protection to reduce the risk of theft or cross-site attacks.

Abuse protection

WaitToUnlock has protections in place to detect and slow down automated abuse. We intentionally offer only Google Sign-In, so we never have to store a password of yours at all.

An honest note on trust

Strong encryption protects your passcode from anyone who shouldn't have it, including in the event of a database breach. It is not a magic box that even I can never open, because the service has to be able to decrypt your passcode to show it back to you. What I can promise is that I never look at it, never log it, and have built the system so it's only ever revealed to you. If that trade-off doesn't sit right with you, the refund promise always applies.

Found a security issue?

If you believe you've found a vulnerability, please email me directly at hello@waittounlock.com before disclosing it publicly. I read every message and will work with you to fix it quickly.