Show HN: Hidetext.sh – encrypted pastebin where the server never sees the key

hidetext1 pts0 comments

Hi HN! I built hidetext.sh — a way to share text, code, and files through links the server can t read.How it works: your browser generates a random key and encrypts everything locally (NaCl secretbox, XSalsa20-Poly1305). Only ciphertext is uploaded. The key goes into the URL fragment — the part after # — which browsers never send to servers. The link carries the key, my server stores the locked box, and the two only meet in a browser.A design detail I m fairly happy with: burn-after-read doesn t destroy the paste on the first HTTP request. The naive version means a Slack or iMessage link preview reads your paste before the recipient ever opens it. Instead, the reader s tab sends a heartbeat, and the paste is deleted only once nobody is watching it anymore.Being upfront about the limits (full page at hidetext.sh/how-it-works): you re trusting the JavaScript I serve — inherent to any browser-based E2E tool; filenames are stored in plaintext (contents aren t); and anyone holding the link can read the content, because the link is the key. No accounts, no cookies, no analytics, IPs aren t stored.Stack: Next.js static on Cloudflare Pages, Pages Functions, D1 for metadata, R2 for encrypted blobs.It s free. I d love feedback — especially on the threat model and anything you d expect from a tool like this that s missing.

link hidetext server read browser paste

Related Articles