Back to News
Advertisement
hhidetext about 11 hours ago 0 commentsRead Article on hidetext.sh

HI version is available. Content is displayed in original English for accuracy.

Hi HN! I built hidetext.sh — a way to share text, code, and files through links the server can't read.

How it works: your browser generates a random key and encrypts everything locally (NaCl secretbox, XSalsa20-Poly1305). Only ciphertext is uploaded. The key goes into the URL fragment — the part after # — which browsers never send to servers. The link carries the key, my server stores the locked box, and the two only meet in a browser.

A design detail I'm fairly happy with: burn-after-read doesn't destroy the paste on the first HTTP request. The naive version means a Slack or iMessage link preview "reads" your paste before the recipient ever opens it. Instead, the reader's tab sends a heartbeat, and the paste is deleted only once nobody is watching it anymore.

Being upfront about the limits (full page at hidetext.sh/how-it-works): you're trusting the JavaScript I serve — inherent to any browser-based E2E tool; filenames are stored in plaintext (contents aren't); and anyone holding the link can read the content, because the link is the key. No accounts, no cookies, no analytics, IPs aren't stored.

Stack: Next.js static on Cloudflare Pages, Pages Functions, D1 for metadata, R2 for encrypted blobs.

It's free. I'd love feedback — especially on the threat model and anything you'd expect from a tool like this that's missing.

Advertisement

Discussion (0 Comments)Read Original on HackerNews

No comments available or they could not be loaded.