hidetext.sh pastebin encrypts data in browser

hidetext.sh is a public paste service that never stores plaintext. When a user pastes text, the browser generates a 96-bit IV and a random AES-GCM key via the Web Crypto API, encrypts the payload, and sends only the ciphertext and IV to the server [MDN Web Docs]. The raw key is base64-encoded and appended to the URL after a # fragment. Because browsers omit the fragment when making HTTP requests, the server receives only scrambled bytes and cannot reconstruct the original text [devto]. The service supports optional burn-after-read mode, where the server deletes the stored blob after the first successful fetch and returns a 404 on any subsequent request. To avoid a race where two users open the same link simultaneously, the implementation deletes the record after the first successful GET and lets the second request hit a missing resource. hidetext.sh can accept files up to 5 MiB and generate QR-code links for offline sharing, with no accounts, no tracking cookies, and all operations are stateless on the backend. By keeping the decryption key in the fragment, the architecture guarantees that even a compromised server cannot read pastes. The deletion logic runs entirely on the server, but because the server never sees the key, it cannot reconstruct the content after deletion. Any analytics, UI enhancements, or content-moderation tools must operate on encrypted blobs or rely on client-side heuristics, limiting the attack surface and reducing regulatory liability.