The Core Security Difference Between Static and Dynamic QR Codes
Every QR code generator offers two fundamentally different architectures. Understanding which one you are using - and why it matters - determines how vulnerable the people who scan your code actually are.
A static QR code has its destination permanently encoded in the pattern of the image itself. When a phone scans it, the phone reads the URL directly from the pixels and opens it - no server in between, no redirect, no intermediary of any kind.
A dynamic QR code encodes a short URL pointing to the QR service's own server. That server reads the code's ID, looks up where it is supposed to redirect today, and then forwards the user's browser to the real destination. The printed code is just a pointer to a database record that someone else controls.
That architectural difference creates a security gap most users never consider until it matters.
The Middleman Attack Surface
The redirect server that powers every dynamic QR code is a single point of failure for every code it has ever generated. It is, by definition, a target.
When a criminal compromises a redirect server - whether through a data breach, a supply-chain attack, a rogue employee, or a company simply going bankrupt and selling its domain - they can instantly change the destination of every active code that passes through that server. A menu QR code printed on 10,000 restaurant table tents can be redirected to a phishing page before the restaurant owner notices anything is wrong.
This type of attack is not hypothetical. Researchers have documented multiple incidents of "quishing" (QR code phishing) that exploit dynamic redirect infrastructure. See our full guide on QR code security threats for documented examples.
A static QR code has no server to compromise. The URL is encoded in the pixels of the image. The only way to "hack" a static QR code's destination is to physically replace the printed sticker with a new one - an attack that requires physical presence, is visible to observers, and is self-limiting in scale.
Privacy: What Dynamic Codes Collect Without Telling You
Every scan of a dynamic QR code passes through the redirect server. That server, by design, logs the transaction. The data collected typically includes:
- IP address - reveals approximate geographic location, ISP, and in many jurisdictions is classified as personal data under GDPR and similar regulations
- Device type and operating system - the User-Agent string reveals your phone model and software version
- Timestamp of scan - exact time and date
- Referrer information - how the scan was initiated
- Scan count and frequency - building a behavioral profile over repeated scans
This data is valuable to the QR service's business model and is typically sold or shared with advertising platforms as part of the service's Terms of Service - which most users never read.
When someone scans a static QR code, none of this happens. The transaction is between the scanning phone and the destination server. The QR code generator - including us - never sees the scan. We generate the code in your browser; once downloaded, it is yours and we have no visibility into whether or how it is used.
Client-Side Generation: Your Data Never Leaves Your Browser
There is a second, separate privacy risk most users overlook: the generation process itself.
Most QR code generators require you to submit your data to their server to create the code. This means:
- Your WiFi network name and password are transmitted to and logged by a third-party server
- Your cryptocurrency wallet address is stored in a commercial database
- Your vCard personal details - phone number, home address, email - become part of someone else's dataset
Our generator is entirely client-side. The QR code is computed by JavaScript running inside your own browser using your device's processing power. No data is transmitted to any server during generation. The network tab in your developer tools will show zero outbound requests for your input data - you can verify this yourself.
For sensitive data types - WiFi passwords, crypto addresses, personal contact details - client-side generation is not a feature, it is a fundamental requirement for responsible use.
When to Always Use a Static Code
The following use cases should never use a dynamic QR code, for security and privacy reasons:
WiFi Network Credentials
A WiFi QR code encodes your network name and password. If that password passes through a dynamic redirect server, it is logged. If the server is ever breached, your network credentials are exposed. Use our client-side WiFi QR code generator - your password is encoded in your browser and never transmitted.
Cryptocurrency Payment Addresses
A dynamic QR code for a Bitcoin or Ethereum address is a catastrophic risk. A compromised redirect server could substitute your wallet address with the attacker's for every subsequent scan. One database change redirects all incoming payments permanently until you notice - which, for a printed sticker on a point-of-sale terminal, could take weeks. Use our Bitcoin QR code generator for a static, permanent address code.
Contact Information (vCards)
When a colleague scans your vCard QR code, you want your phone number going directly into their contacts - not passing through a marketing analytics database that profiles scan behavior and sells aggregate data to advertisers. Use our vCard generator.
Medical or Legal Document Links
If you link to a sensitive document - a medical form, a legal contract, an insurance certificate - via a dynamic QR code, the redirect server has a full log of who scanned it, when, and from where. For documents requiring confidentiality, static links are the only appropriate choice.
The Only Legitimate Case for Dynamic Codes
Dynamic codes have one genuine advantage: the destination URL can be changed after the code has been printed. This is legitimately useful in very specific scenarios:
- Large-scale product packaging runs where reprinting is cost-prohibitive
- Event marketing where the destination changes between pre-event, during-event, and post-event phases
- Retail displays where the linked promotion changes seasonally
Even in these cases, be aware that the "changeable" feature has a hard dependency: the moment you stop paying the QR service's subscription, every code stops working. For printed materials that may remain in circulation for years (product packaging, signage, business cards), a static code is almost always the more reliable long-term choice.
Static vs Dynamic: Security Comparison
| Security Factor | Static QR Code | Dynamic QR Code |
|---|---|---|
| Redirect server attack surface | None - no server involved | High - one breach affects all codes |
| Destination can be changed by third party | No - encoded in pixels | Yes - database record can be modified |
| Scan data collected | None at QR layer | IP, device, timestamp, location |
| Generation privacy (sensitive inputs) | Client-side - stays in your browser | Server-side - transmitted and logged |
| Continues working after subscription cancellation | Yes - permanently | No - stops working immediately |
| Physical tampering vulnerability | Requires replacing the sticker | Can be done remotely via server |
How to Verify a QR Code Is Static Before Scanning
You cannot tell from the printed code alone whether it is static or dynamic - they look identical. The only reliable method is to scan it and inspect the URL shown in the notification before you tap it:
- A URL that includes your actual destination domain (e.g.
yourrestaurant.com/menu) is almost certainly static - A URL that includes a domain you don't recognise (e.g.
qr.io/abc123,l.ead.me/xyz) is a dynamic redirect - you are going to a server before your destination - A URL shortener (e.g.
bit.ly/...) is technically a static code pointing to a redirect, which carries similar risks to a fully dynamic code
For codes you generate yourself, use our tool - every code we generate is static and client-side. For codes you scan in public places, practice the URL-preview habit before tapping. See our QR code safety guide for a comprehensive checklist.