A privacy-first, client-side file encryption and sharing tool that embeds encrypted files directly into shareable URLs. No servers, no tracking, no data collectionβjust pure cryptographic security powered by your browser.
xsukax Secure URL File Hosting is a lightweight, zero-knowledge file sharing application that operates entirely within your web browser. Unlike traditional file hosting services that store your data on remote servers, this application encrypts your files locally and encodes them directly into shareable URLs. The encrypted payload never leaves your control, ensuring maximum privacy and security.
Built with modern web standards and leveraging the Web Crypto API, this tool provides military-grade encryption (AES-256-GCM) without requiring any backend infrastructure, user accounts, or data uploads. The entire application consists of a single HTML file (index.html) that can be hosted anywhere or even run locally without an internet connection after initial download.
- AES-256-GCM Encryption: Industry-standard authenticated encryption algorithm providing both confidentiality and integrity verification
- Client-Side Only: All cryptographic operations occur exclusively in your browserβno data transmission to external servers
- PBKDF2 Key Derivation: Password-based key derivation with 100,000 iterations and SHA-256 hashing, making brute-force attacks computationally expensive
- Zero Knowledge: The application never has access to your unencrypted files or passwords
- No Data Collection: Absolutely no analytics, tracking, cookies, or telemetry of any kind
- No Server Storage: Files are never uploaded or stored on any server; they exist only in the URL you generate
- No User Accounts: No registration, login, or personal information required
- Random Salt Generation: Each encryption uses a unique 128-bit cryptographic salt to prevent rainbow table attacks
- Unique Initialization Vectors: 96-bit random IVs ensure identical files with the same password produce different ciphertexts
- Authenticated Encryption: GCM mode provides authentication tags that detect any tampering with encrypted data
- Secure Random Number Generation: Uses
crypto.getRandomValues()for cryptographically secure randomness
- Open Source: Full source code available for audit and verification
- Single File Application: The entire application logic is contained in
index.htmlβinspect it yourself - No External Dependencies: No third-party libraries or tracking scripts; only standard Web APIs
- Offline Capable: Works without internet connectivity after initial page load
- Drag-and-Drop Interface: Intuitive file selection with visual feedback and progress indicators
- URL-Based Sharing: Encrypted files embedded directly in shareable linksβno file expiration or broken links
- Password Protection: Separate password transmission ensures security even if URLs are intercepted
- File Metadata Preservation: Original filename, type, size, and modification date retained through encryption
- Real-Time Progress Tracking: Visual progress bars and status updates during encryption and decryption
- Toast Notifications: Non-intrusive success, error, and informational messages
- Modern UI Design: Clean, GitHub-inspired dark theme with responsive layout
- Mobile Responsive: Fully functional on desktop, tablet, and mobile devices
- Keyboard Shortcuts: Ctrl+Enter for quick encryption/decryption; Enter in password fields
- Copy to Clipboard: One-click URL copying with visual confirmation
- File Size Display: Human-readable file size formatting (Bytes, KB, MB)
- Browser Compatibility: Works in all modern browsers supporting Web Crypto API
- No Third-Party Risk: Your files never exist on servers that could be hacked, seized, or shut down
- Regulatory Independence: No compliance with government data retention or surveillance mandates
- Permanent Availability: URLs work indefinitely; no file deletion after 30 days
- Cost-Free: No subscription fees, storage limits, or premium tiers
- Bandwidth Independent: File size limited only by URL length constraints (1 MB maximum)
-
Fork or Clone Repository
git clone https://github.com/xsukax/xsukax-Secure-URL-file-hosting.git cd xsukax-Secure-URL-file-hosting -
Enable GitHub Pages
- Navigate to your repository on GitHub
- Go to Settings β Pages
- Under Source, select
mainbranch and/ (root)directory - Click Save
- Your application will be live at
https://yourusername.github.io/xsukax-Secure-URL-file-hosting/
Deploy index.html to any static hosting provider:
- Netlify: Drag and drop
index.htmlto Netlify Drop - Vercel: Import repository and deploy
- AWS S3: Upload to S3 bucket with static website hosting enabled
- Azure Static Web Apps: Deploy via GitHub Actions integration
-
Download the File
wget https://raw.githubusercontent.com/xsukax/xsukax-Secure-URL-file-hosting/main/index.html
-
Open in Browser
- Simply double-click
index.html, or - Run a local server:
python3 -m http.server 8000
- Navigate to
http://localhost:8000/index.html
- Simply double-click
- Browser: Chrome 60+, Firefox 57+, Safari 11+, Edge 79+, or any modern browser with Web Crypto API support
- JavaScript: Must be enabled
- Storage: Minimal disk space for single HTML file (~50 KB)
- Network: Required only for initial page load (works offline afterward)
flowchart TD
A[Start: Upload Mode] --> B[Select File<br/>Drag & Drop or Click]
B --> C{File Size<br/>β€ 1 MB?}
C -->|No| D[Error: File Too Large]
C -->|Yes| E[Enter Password<br/>Min. 8 characters]
E --> F[Click 'Encrypt & Generate URL']
F --> G[File Read into Memory]
G --> H[Generate Salt & IV<br/>Cryptographically Random]
H --> I[Derive Key from Password<br/>PBKDF2, 100k iterations]
I --> J[Encrypt File<br/>AES-256-GCM]
J --> K[Encode to Base64]
K --> L[Create URL with Hash]
L --> M[Display Shareable URL]
M --> N[Copy URL to Clipboard]
M --> O[Share Password Separately<br/>via SMS, Email, etc.]
Step-by-Step Process:
- Access the Application: Open
index.htmlin your web browser - Select Your File:
- Click the drop zone or drag and drop your file
- Maximum file size: 1 MB
- All file types supported
- Enter Encryption Password:
- Minimum 8 characters recommended
- Use a strong, unique password
- Store password securelyβit cannot be recovered
- Generate URL:
- Click "π Encrypt & Generate Shareable URL"
- Wait for encryption progress (typically seconds)
- Encrypted URL will appear in the result section
- Share Securely:
- Copy the generated URL to clipboard
- Send URL to recipient via any channel (email, chat, etc.)
- Critically Important: Send password through a separate channel (SMS, phone call, different messaging app)
flowchart TD
A[Start: Receive URL] --> B[Open URL in Browser]
B --> C[Application Detects<br/>Encrypted Data in Hash]
C --> D[Switch to Download Mode]
D --> E[Display File Metadata<br/>Name, Size, Type]
E --> F[Enter Decryption Password<br/>Received from Sender]
F --> G[Click 'Decrypt & Download']
G --> H[Extract Salt & IV<br/>from Encrypted Data]
H --> I[Derive Key from Password<br/>PBKDF2, 100k iterations]
I --> J{Decryption<br/>Successful?}
J -->|No| K[Error: Incorrect Password<br/>or Corrupted Data]
J -->|Yes| L[Verify Authentication Tag<br/>GCM Integrity Check]
L --> M[Create Blob from Decrypted Data]
M --> N[Trigger Browser Download]
N --> O[File Saved to Downloads Folder]
Step-by-Step Process:
- Receive URL and Password:
- Get the encrypted URL from the sender
- Obtain the password through a separate secure channel
- Open the URL:
- Paste URL into browser or click the link
- Application automatically detects encrypted data
- Enter Password:
- Type the exact password provided by sender
- Password is case-sensitive and must match exactly
- Decrypt and Download:
- Click "π Decrypt & Download File"
- Wait for decryption process
- File automatically downloads with original name
- Verify File:
- Check downloaded file size matches expected size
- Open file to confirm successful decryption
graph TB
subgraph "User's Browser - Client Side Only"
A[Original File] --> B[Read File Data]
B --> C[Generate Random Salt]
B --> D[Generate Random IV]
E[User Password] --> F[PBKDF2 Key Derivation<br/>100k iterations, SHA-256]
C --> F
F --> G[AES-256 Key]
B --> H[AES-256-GCM Encryption]
G --> H
D --> H
H --> I[Encrypted Data + Auth Tag]
C --> J[Combine: Salt + IV + Encrypted]
D --> J
I --> J
J --> K[Base64 Encode]
K --> L[JSON Payload with Metadata]
L --> M[URL Hash Fragment]
end
M --> N[Shareable URL]
E --> O[Password Shared Separately]
style A fill:#3fb950
style N fill:#58a6ff
style O fill:#d29922
style G fill:#f85149
Best Practices for Password Management:
- Use a password manager to generate strong passwords
- Minimum 12-16 characters recommended for sensitive files
- Include uppercase, lowercase, numbers, and symbols
- Never reuse passwords from other services
File Size Optimization:
- Compress large files before encryption (ZIP, RAR, 7z)
- Use efficient file formats (WebP for images, MP4 for video)
- Text files compress exceptionally well
Security Considerations:
- Always share passwords through a different channel than URLs
- Consider using encrypted messaging apps (Signal, WhatsApp) for password transmission
- Delete shared URLs after recipient confirms download
- Never include password hints in URL or email subject lines
Keyboard Shortcuts:
Ctrl + Enter: Quick encrypt/decrypt actionEnterin password field: Submit formEsc: Close toast notifications (click Γ button)
This project is licensed under the GNU General Public License v3.0.
Contributions are welcome! Please feel free to submit pull requests, report bugs, or suggest features through GitHub Issues.
While this application uses strong encryption standards, users should:
- Understand the limitations of URL-based storage (browser history, logs, etc.)
- Use strong passwords and secure transmission methods
- Be aware that anyone with the URL and password can decrypt the file
- Not use this for files requiring compliance with specific regulations (HIPAA, GDPR data storage requirements, etc.)
- GitHub Repository: https://github.com/xsukax/xsukax-Secure-URL-file-hosting
- Web Crypto API Documentation: MDN Web Crypto API
- AES-GCM Specification: NIST SP 800-38D
- PBKDF2 Specification: RFC 8018
Built with β€οΈ by xsukax | Privacy-First | Open Source | Zero Knowledge