Security
mysecret.now is built around one principle: the server cannot read your secret, even if it wanted to. Here is how that is enforced and what it does and does not protect against.
Send secrets securely
A free tool from WebF1
No account. No tracking. No stored plaintext.
mysecret.now is built around one principle: the server cannot read your secret, even if it wanted to. Here is how that is enforced and what it does and does not protect against.
The decryption passphrase is generated, shown, and used exclusively in your browser. It is never transmitted, never persisted, and never logged. The database holds only the ciphertext, a random IV, and a non-secret Argon2id salt - all three are useless without the passphrase.
Reads use DELETE FROM secrets WHERE id = $1 AND expires_at > now() RETURNING …. PostgreSQL guarantees that two concurrent transactions cannot both receive the row - making the one-time-view guarantee robust under load.
The read query refuses expired rows. A cron job running inside the API hard-deletes expired rows every 15 minutes. Even if no one ever reads your secret, it will be gone within 15 minutes of its expiry.
POST /api/secrets.X-Content-Type-Options: nosniff, X-Frame-Options: DENY.Referrer-Policy: no-referrer - your recipients' browsers will not leak the secret link in Referer headers.interest-cohort.mysecret.now loads no analytics, no advertising, and no fonts or assets from third-party CDNs (the web font is served by Next.js itself). No accounts are required and we have no need to collect personal data.