Can You Encrypt a QR Code?
A QR code is a data container, not a secure vault. The ISO 18004 standard defines how data is encoded into a module pattern, but it includes no encryption layer. Anyone who scans the code can read the raw payload — a URL, plain text, or vCard data.
Security therefore lives outside the code, at the destination. The QR code simply links to a protected resource; the resource itself enforces access control.
Key Insight
Password-Protected Destinations
The most common approach is to point the QR code at a password-gated landing page. When a user scans the code, they see a password prompt before accessing the content.
Implementation Approaches
- Server-side gate — a simple form that validates a password against a stored hash (bcrypt, Argon2). Best for documents and files.
- Token in URL — embed a one-time token in the QR URL. The server validates the token and optionally expires it after one use.
- Third-party link managers — services like Bitly or Rebrandly offer password-protected short links that work as QR destinations.
Avoid Plain-Text Passwords in QR Data
Expiration Dates and Scan Limits
Dynamic QR code services let you set time-based and count-based access controls:
Access control options for dynamic QR codes
| Control | How It Works | Use Case |
|---|---|---|
| Expiration date | Link deactivates after a set date/time | Event tickets, limited-time offers |
| Scan limit | Link deactivates after N scans | Contest entries, one-time downloads |
| Geo-fencing | Link only works within a geographic area | In-store promotions, venue-specific content |
| Device limit | One scan per unique device fingerprint | Free trial activations |
QRishing — QR Phishing Attacks
QRishing is a social engineering attack where a malicious QR code is placed over a legitimate one (or displayed in a trusted context) to redirect users to a phishing site, malware download, or credential-harvesting page.
Common Attack Vectors
- Sticker overlays — an attacker places a sticker with a malicious QR code over a legitimate one on a poster or parking meter.
- Phishing emails — a QR code in an email bypasses link-scanning filters because the URL is encoded in an image, not in clickable text.
- Fake payment prompts — a code that opens a payment page mimicking a trusted merchant.
Defence for Users
Defence for QR Code Publishers
- Always use HTTPS URLs — browsers flag HTTP sites as insecure.
- Use your own domain rather than generic shorteners — brand recognition builds trust.
- Print QR codes on tamper-evident materials where possible.
- Monitor scan analytics for unexpected spikes in traffic from unusual locations.
WiFi QR Codes and WPA3
WiFi QR codes encode the network name (SSID), security type, and password in a standardWIFI: format. The password is included in the payload and transmitted to the scanning device — so the QR code effectively shares the password.
For guest networks, this is convenient and secure enough. For sensitive networks, consider:
- Using a separate guest VLAN with bandwidth limits.
- Rotating the password periodically and regenerating the QR code.
- Upgrading to WPA3, which provides stronger encryption and forward secrecy.
Did You Know?
Best Practices Summary
Security checklist for QR code deployment
| Practice | Why It Matters |
|---|---|
| Use HTTPS URLs | Encrypted transport; browser trust indicators |
| Preview before scanning | Catches QRishing attempts |
| Password-gate sensitive content | Adds an access control layer |
| Set expiration on dynamic codes | Limits exposure window |
| Use your own domain | Brand trust; easier monitoring |
| Test on multiple devices | Ensures consistent behaviour |
Create a secure QR code
Free forever — no signup required. Download in PNG, SVG, and PDF.