How it works
1. Your text is encrypted with AES-256-GCM using the Web Crypto API
2. A random 256-bit key is generated in your browser
3. Only the encrypted ciphertext is sent to the server
4. The key is placed in the URL fragment (#), which browsers never transmit
5. When someone opens the link, the key is read from the fragment and used to decrypt locally
6. The server never sees the plaintext or the key — even if compromised
7. Burn-after-reading pastes are deleted from memory immediately after one retrieval
8. No IP addresses, cookies, or analytics are recorded for drops
Limitations
Client-side encryption protects your data from the server operator,
network observers, and casual forensics. It cannot protect against:
• A compromised device (malware, keyloggers, screen capture)
• A compromised browser or malicious extensions
• Physical access to an unlocked device
For high-risk situations, use a trusted device with no extensions and a verified OS.