SecNote

SecNote is a self-hostable service for sending end-to-end encrypted, read-once notes. Notes are encrypted in the browser with AES-256-GCM, while the server stores only ciphertext in RAM and deletes each note atomically after the first read, TTL expiration, or process restart. The encryption key stays in the URL fragment and is never sent to the server.

A notable security feature is authenticated API responses: every /info and /api/v1/* response is signed with an Ed25519 key, and the official frontend verifies the signature before parsing the response body. This helps protect against response tampering or injection even if a network-level attacker can intercept TLS with a forged or locally trusted certificate.

SecNote uses a TOFU-style trust model by default: the client fetches the server public key on first connection, stores it locally for that API origin, and verifies later responses against it. For stricter setups, the public key can be pre-pinned out-of-band, and operators can set a stable SIGNING_KEY so pinned clients do not need to re-trust the server after restarts.

The project also includes proof-of-work anti-spam protection, burn-read protection via a key-derived view_token, hashed IP-based abuse tracking, strict CSP, built-in TLS support, Tor Browser compatibility, and a downloadable static frontend that can be run locally and pointed at any compatible backend.