mysecret.now

Send secrets securely

Security

mysecret.now is built around one principle: the server cannot read your secret, even if it wanted to. Here is how that is enforced and what it does and does not protect against.

The server cannot read your secret

The decryption passphrase is generated, shown, and used exclusively in your browser. It is never transmitted, never persisted, and never logged. The database holds only the ciphertext, a random IV, and a non-secret Argon2id salt - all three are useless without the passphrase.

One-time view (atomic)

Reads use DELETE FROM secrets WHERE id = $1 AND expires_at > now() RETURNING …. PostgreSQL guarantees that two concurrent transactions cannot both receive the row - making the one-time-view guarantee robust under load.

Expiry is enforced server-side

The read query refuses expired rows. A cron job running inside the API hard-deletes expired rows every 15 minutes. Even if no one ever reads your secret, it will be gone within 15 minutes of its expiry.

Anti-abuse

  • Rate limiting: 60 requests/min/IP general; 10 writes/min/IP for POST /api/secrets.
  • Proof-of-Work: SHA-256 leading-zero-bits challenge, HMAC-signed by the server, short TTL.
  • Body limits: 100KB max request body.

Transport & headers

  • HSTS with preload, X-Content-Type-Options: nosniff, X-Frame-Options: DENY.
  • Referrer-Policy: no-referrer - your recipients' browsers will not leak the secret link in Referer headers.
  • CORS locked to the configured web origin.
  • Permissions Policy disables camera, microphone, geolocation, and interest-cohort.

No third parties

mysecret.now loads no analytics, no advertising, and no fonts or assets from third-party CDNs (the web font is served by Next.js itself). No accounts are required and we have no need to collect personal data.

What mysecret.now does not protect against

  • A compromised browser or device on either end. If your machine has malware, the plaintext can be observed before encryption or after decryption.
  • Sending both link and passphrase through the same channel. If an attacker controls that channel, they have both halves.
  • A compromised recipient. They can copy, screenshot, or forward the plaintext after decryption.