Cookie Policy
Last updated: 12 May 2026
Dropura is a small project — these terms are a starting point; consult a lawyer for legal advice before relying on them.
This page lists every cookie Dropura currently sets, why each one exists, and how to opt out. It supplements our Privacy Policy.
What are cookies?
A cookie is a small piece of text a website asks your browser to store. The browser sends the cookie back on later visits so the site can remember you between page loads — for example to keep you signed in, or to remember which language you prefer.
Categories
- Strictly necessary — without these the service does not work. No consent is required under EU / UK law because the cookie is essential to deliver the service you asked for.
- Functional — remember preferences that improve the experience but are not required.
- Analytics & advertising — none today. If we ever add analytics we will require explicit opt-in via the cookie consent banner; no analytics cookies will be set before you accept.
Cookies we set
| Name | Category | Type | Purpose | Duration |
|---|---|---|---|---|
dropura.auth |
Strictly necessary | First-party, HttpOnly | Signed session token. Identifies you across requests after you sign in. | Session (signed) |
dropura.csrf |
Strictly necessary | First-party | Anti-CSRF companion token. Paired with X-CSRF-TOKEN header to block cross-site forgery. |
Session |
dropura.cookieconsent |
Strictly necessary | First-party | Records that you have seen or accepted the cookie banner so we don't show it again. | 12 months |
dropura.lang |
Functional | First-party | Remembers your preferred language (when language alternatives ship). | 12 months |
dropura.theme |
Functional | First-party | Remembers your preferred light/dark theme override. | 12 months |
__cf_bm |
Strictly necessary | Third-party (Cloudflare) | Cloudflare bot-management cookie set on requests that pass through Cloudflare's edge. | 30 minutes (rolling) |
We currently set no analytics or advertising cookies and no cross-site tracking cookies. If this changes we will list the new cookies here and require opt-in before they are set.
How to opt out
- Functional and analytics cookies (when they exist) — use the cookie consent banner shown on your first visit, or revisit the Privacy section of your account to change your choice.
- Strictly necessary cookies — these cannot be disabled and the service will not work without them. You can still block them in your browser, but you won't be able to sign in or submit forms.
- All cookies — every modern browser lets you block or delete cookies for an individual site; the menu path differs by browser.
Blocking cookies does not remove cookies already on your device — you also need to clear them in your browser's privacy / history settings.
Third-party cookies
Dropura runs behind Cloudflare, which acts as a CDN and DDoS
protection layer. Cloudflare may set the __cf_bm
cookie on requests routed through their edge to distinguish bots
from human visitors. The cookie is short-lived (30 minutes) and
contains no personally identifying information.
We do not embed third-party analytics, advertising pixels, social share widgets, or fonts that would set additional third-party cookies.
Changes to this policy
We may update this page when we add or remove cookies. The
changelog lives in version control:
docs/legal/cookies.md in the Dropura source tree.
Contact
Questions about cookies? [email protected].