- VERSION
- 2026-06-22
- EFFECTIVE
- 20 June 2026
- CONTACT
- legal@bassilisk.com
Current position
Bassilisk does not use advertising, cross-site tracking, or visitor analytics cookies. No non-essential cookie is placed on a first anonymous visit.
The storage below is used for authentication, sign-in security, requested navigation, and a theme setting you explicitly choose. Because Bassilisk does not currently use optional tracking storage, it does not show a consent banner. A banner that merely stores its own consent cookie would add storage without providing a real choice.
Cookie register
| Name | Purpose | Duration |
|---|---|---|
auth_session | Keeps a signed-in author authenticated. HTTP-only and same-site. | 30 days; renewed during active use |
google_oauth_state | Prevents forged Google sign-in callbacks. | 10 minutes |
google_code_verifier | Secures the Google OAuth code exchange using PKCE. | 10 minutes |
github_oauth_state | Prevents forged GitHub account sign-in callbacks. | 10 minutes |
discord_oauth_state | Prevents forged Discord account sign-in callbacks. | 10 minutes |
discord_code_verifier | Secures the Discord OAuth code exchange using PKCE. | 10 minutes |
auth_next | Returns you to the requested Bassilisk page after sign-in. | 10 minutes |
gh_oauth_state | Protects the separate legacy GitHub flow used by authorised CMS administration. | 10 minutes |
Blank session cookies may be sent during sign-out to remove the active session cookie. One-time email sign-in tokens are stored in the Bassilisk database as hashes, not as browser cookies.
Local storage
| Key | Purpose | Duration |
|---|---|---|
bassilisk-theme | Remembers Dark, Light, or Custom after you select it in Settings. | Until you change it, clear site data, or delete your account through Settings |
Dark is the default. Bassilisk reads the theme key on page load but writes it only after you choose a theme. The value remains on your device and is not transmitted as account data.
Embedded video
YouTube and Vimeo embeds render as local, thumbnail-free placeholders. The
browser does not contact the video provider until you press play. Activating
a video loads that provider’s player, which may receive your IP address,
browser headers, the page context, and may use its own browser storage under
its policy. YouTube players use the youtube-nocookie.com domain,
but that does not prevent all provider-side processing.
Your controls
Sign out to remove the active session. Use browser settings to inspect or
clear cookies and local storage. Blocking essential authentication cookies
prevents account sign-in but does not block public reading. You can reset the
theme by clearing the bassilisk-theme key or selecting Default.
Future changes
Optional analytics, advertising, or similar technology will not be enabled without first implementing the legally required information and choice. If optional storage is introduced, it will remain blocked until a valid choice is made and that choice can be withdrawn as easily as it was given.