2026-03-12
Zero-KnowledgeThe # in the URL That Keeps Your Key Secret
The tiny hash symbol in a secure link is not a coincidence — it's the technical reason why even we can't intercept your decryption key.
The # in the URL that keeps your key secret
A browser behaviour dating back to 1994 is the reason no server ever sees your decryption key.
Every link generated by mboxly.app looks something like this: mboxly.app/s/a1b2c3#Kx9mP…. The part after the # is called a URL fragment — and it behaves very differently from everything before it.
By design, browsers never include the fragment in HTTP requests. When you open a link, your browser sends the path and query string to the server — but strips everything after # and keeps it locally. This is a fundamental web specification, not a clever workaround.
mboxly.app exploits this deliberately. The decryption key lives inside the fragment. Our server receives the request, delivers the encrypted ciphertext, and has no technical way to see the key. Even our own access logs contain no trace of it.
The recipient's browser extracts the key from the fragment, downloads the ciphertext, and decrypts the message entirely on the client side. The plaintext never touches our infrastructure at any point.
This also changes the threat model in a very practical way. A reverse proxy, CDN, load balancer, analytics tool, or web server log may record the path of the message URL, but not the secret fragment. That means infrastructure providers can observe that a message exists without being able to decrypt it. For a zero-knowledge service, that separation matters more than marketing claims — it is an architectural boundary enforced by the browser itself.
This single browser behaviour is what makes zero-knowledge architecture possible — no complicated key-exchange protocols, no external key servers, no trust assumptions about the service provider.
Questions about URL fragments
Can the server log the fragment if it tries?
No. The HTTP specification explicitly excludes fragments from requests. The server receives the URL without it — this is enforced at the browser and protocol level, not just by our code.
What happens if someone shares only the base URL without the fragment?
They get the ciphertext with no key — an unreadable block of encrypted bytes. Without the full link including the fragment, the message cannot be decrypted under any circumstances.
Does this work in all browsers?
Yes. URL fragment handling is part of the HTML and HTTP specifications and is consistently implemented across all modern browsers including Chrome, Firefox, Safari, and Edge.
Can the fragment leak through browser history or screenshots?
Yes — locally. The fragment is hidden from the server, but it is still visible in the recipient's address bar and browser history unless the page actively rewrites the URL after loading. So zero-knowledge protects against server-side exposure, not against someone looking at your unlocked screen.
Keep reading
More in Zero-Knowledge
2026-05-10
GDPR, Zero-Knowledge Encryption, and the Breach Notification Problem
GDPR requires breach notification within 72 hours. Zero-knowledge encryption changes the calculus — because a breach of ciphertext may not be a breach of personal data.
2026-03-04
What is Zero-Knowledge Encryption?
A plain-English explanation of how your data stays private — and why even we can't read your messages.