← Back to Blog

How Client-Side Encryption Protects You

2 min read

You hear the word "encryption" a lot. Banks use it, apps use it, and marketers love to slap it on boxes. But not all encryption is created equal.

At NopeNotes, we use Client-Side Encryption. This is a specific type of security that ensures we (the service provider) can never see your data, even if we wanted to.

Server-Side vs. Client-Side

To understand the difference, imagine you are sending a sealed letter to a friend.

Server-Side Encryption

In this model, you write the letter, put it in an envelope, and hand it to the postman (the server). The postman takes it to the post office, opens the envelope, reads it, puts it in a new envelope, seals it with a lock only they have the key to, and stores it in a vault.

When your friend asks for the letter, the postman unlocks the vault, opens the envelope, and hands the letter to your friend.

The catch? The postman (server) had the ability to read your letter the whole time.

Client-Side Encryption

In this model, you put the letter in a safe, lock it with your own key, and hand the locked safe to the postman.

The postman carries the safe to your friend. The postman cannot open the safe because they don't have the key. You give the key directly to your friend (via the URL fragment). Your friend uses the key to open the safe.

The result: The postman (NopeNotes) never sees the letter. We just carry the locked safe.

The "Hashtag" Secret

When you create a NopeNotes link, it looks something like this: https://nopenotes.com/note/12345#abcde...

That # symbol is magical. In web browsers, anything after the # (called the fragment identifier) is never sent to the server.

  1. Before the data leaves your browser, we generate a random key.
  2. We use that key to encrypt your note.
  3. We send the encrypted note to the server.
  4. We put the key after the # in the URL.

Because the key is after the #, our servers never receive it. When you share the link, you are sharing the location of the "safe" (the note ID) AND the "key" (the part after the hash).

Why We Do It

We built NopeNotes this way because we believe in Zero Knowledge privacy. If we are subpoenaed, hacked, or pressured to release your data, we literally cannot comply. We have the encrypted gibberish, but we never had the key.

This ensures that your trust doesn't have to be in our moral character—it's mathematically guaranteed by the code running in your browser.

Enjoyed this article?

Create your own secure, disappearing note right now.

Create a Note