SecretNotes/Pro

SecretNotes is a zero-knowledge encrypted notes platform where all encryption and decryption happens entirely in the user's browser. The server stores only encrypted data and never has access to the encryption key - by design, not by policy.

[How it works]

When you create a note, your browser encrypts it using AES-256-GCM before anything leaves your device. The encryption key is stored in the URL fragment (the part after #), which browsers never send to the server per the HTTP specification (RFC 3986). This means the server physically cannot access your decryption key - it's a web standard since 1994, not a proprietary feature.

The recipient opens the link, and their browser decrypts the content locally. If Burn After Read is enabled, the note is deleted from the database before the encrypted content is even returned.

[Key features]

• Zero-knowledge encryption - AES-256-GCM, client-side only. Server stores encrypted noise.
• Burn After Read - note is permanently deleted after a single viewing
• Delayed Burn - note self-destructs X minutes after being read
• Encrypted Messenger - real-time E2E encrypted conversations (AES-256-GCM, PBKDF2 with 600K iterations)
• Secure Requests - create encrypted forms to safely receive credentials or sensitive info from others
• Custom encryption keys - use your own key and share it through a separate channel (e.g., phone call) for two-factor security
• Syntax highlighting - automatic language detection for code snippets (Shiki + highlight.js)
• Emergency Wipe - one-click destruction of all your notes
• Encryption Proof Panel - verify every encryption claim yourself using Python, Node.js, or browser console
• 32 languages supported
• No account required for basic use

[Security protection]

• Brute force protection: 62^6 (56.8 billion) password combinations + rate limiting (30/min) + lockout after 3 failures
• Anti-enumeration: wrong password and non-existent note return identical error messages with identical timing
• Timing-safe comparisons using HMAC-SHA256 + timingSafeEqual
• Nonce-based Content Security Policy, CSRF protection on all mutating endpoints
• Hosted on OVH in France (EU, GDPR-compliant)

[What makes us different]

Unlike services that encrypt on their server (where the server holds the decryption key), SecretNotes encrypts in your browser. If our database is breached, the attacker finds encrypted blobs with no keys - useless data. The encryption key never reaches the server.

We also provide tools to verify this: a built-in Encryption Proof Panel with step-by-step guides to independently decrypt notes using standard crypto libraries. Don't trust us - verify.

[Tech stack]

Next.js 16, React 18, TypeScript, PostgreSQL 16, Web Crypto API (AES-256-GCM), Tailwind CSS. Desktop apps (Windows, Linux, macOS) and mobile apps (Android, iOS) planned.