Privacy & Security Architecture
Last reviewed:
Most online notepads ask you to trust them with your notes. We built this one so we can't see your notes even if we wanted to. Below is the full technical breakdown of how that works — and how to verify every claim yourself.
Open the notepad →On this page
- Summary in 30 seconds
- Where your notes live
- What our server sees (and doesn't)
- How shareable links stay private
- HTTP security headers we send
- Content Security Policy explained
- Tracking, cookies, and analytics
- Third-party dependencies
- How to verify everything yourself
- What this doesn't protect against
- Reporting security issues
Summary in 30 seconds
- Notes are saved to your browser's
localStorage. They never reach our server. - The site is HTTPS-only with HSTS, modern TLS, and a strict Content Security Policy.
- No tracking cookies, no analytics, no third-party scripts, no fingerprinting.
- Shareable links encode the note in the URL fragment — which browsers never send to a server.
- The app works offline after first load. Your notes don't need our server to exist.
- Every claim above is verifiable in 60 seconds with your browser's DevTools.
Where your notes live
Your notes are stored in your browser's localStorage under our domain's origin. This is the same browser API used by virtually every modern web app for client-side state. Three properties make it safe for our use case:
- Same-origin isolation. Per the HTML Living Standard,
localStorageis partitioned by origin. Code running on any other website — even a malicious tab open in your browser — cannot read what's stored under our domain. - No server transmission. Unlike cookies,
localStorageis never automatically attached to outbound HTTP requests. The browser does not send it. Our server cannot receive it. - Local-only persistence. Data lives on the device until you explicitly clear it. There is no sync, no upload, no cloud copy.
Verify it yourself
Open this page → press F12 → Application tab → Local Storage → our domain. You'll see your notes exactly as we store them. Then switch to the Network tab and type something into the notepad. You'll see zero outbound requests carrying your text.
What our server sees (and doesn't)
When you load this site, our web server logs the same minimal information every web server logs: the time of the request, your IP address, the URL you requested, and your browser's User-Agent string. We do not log:
- The contents of any note you write
- The URL fragment (browsers never send it)
- Any data from
localStorage - Click patterns, scroll position, or behavioral telemetry
Standard server logs are retained for a limited period for security and abuse-prevention purposes (detecting and blocking attacks), then purged. They are not joined to any other dataset, not sold, and not shared with advertisers — because we don't have advertisers.
How shareable links stay private
When you generate a share link, we encode your note's text into the URL fragment — the portion after the #. The resulting URL looks roughly like this:
https://safeonlinenotepad.com/#note=IyBNeSBub3RlCgpUaGlzIGlz...The base64-encoded portion contains your note. Here's the security property that makes this private: per RFC 3986 §3.5 and the Fetch Living Standard, browsers do not transmit the fragment portion of a URL to the server. When someone opens the link, their browser fetches only the page itself; the note content is decoded client-side from the address bar.
Practical consequences:
- We have no log of who shared what.
- We have no way to revoke or delete a shared note — because we never stored it.
- If you accidentally share something sensitive, you must contact recipients directly. We cannot help you take it back.
HTTP security headers we send
Every page response includes the following security headers:
| Header | What it does |
|---|---|
Strict-Transport-Security | Tells your browser to never accept an unencrypted HTTP connection to our site again. |
Content-Security-Policy | Blocks any script, style, image, or connection from a domain we don't explicitly allow. See below. |
X-Content-Type-Options: nosniff | Prevents browsers from MIME-sniffing responses, which blocks a class of injection attacks. |
X-Frame-Options: SAMEORIGIN | Prevents other sites from embedding ours in an iframe (clickjacking protection). |
Referrer-Policy: strict-origin-when-cross-origin | Limits what's sent in the Referer header when you click an outbound link. |
Permissions-Policy | Explicitly denies access to camera, microphone, geolocation, USB, payment, and other powerful APIs we don't use. |
Content Security Policy explained
Our Content Security Policy (CSP) is a list of rules the browser enforces about what resources our pages are allowed to load and execute. Here's the policy in plain English:
default-src 'self';
script-src 'self' 'unsafe-inline';
style-src 'self' 'unsafe-inline';
img-src 'self' data:;
font-src 'self' data:;
connect-src 'self';
frame-ancestors 'self';
base-uri 'self';
form-action 'self'Translation:
default-src 'self'— by default, only load resources from our own domainscript-src 'self' 'unsafe-inline'— only run JavaScript that's on our domain or inlined in the page we sent you (we use inline scripts intentionally for speed; no external script can ever execute)connect-src 'self'— the app cannot make network requests to any other domain. Even if a bug allowed someone to inject code, that code couldn't send your data anywhere.img-src 'self' data:— images only from our domain (or inline data URIs for icons). No tracking pixels from third parties.frame-ancestors 'self'— no other site can embed us in an iframe.
Tracking, cookies, and analytics
We do not use:
- Google Analytics, Plausible, Fathom, Mixpanel, or any other analytics product
- Facebook Pixel, Twitter, LinkedIn, or any social-media tracking
- Advertising networks of any kind
- A/B testing tools that profile users
- Heatmap or session-replay tools (Hotjar, FullStory, etc.)
- Browser fingerprinting libraries
We do not set tracking cookies. The only browser storage we use is localStorage, and it contains exactly three things:
- Your notes (under the key
notepad.v1) - Your theme preference (
notepad.theme) - Your font-size preference (
notepad.fontsize) and word-wrap setting (notepad.wrap)
You can inspect each of these in DevTools. Nothing else is stored.
Third-party dependencies
We deliberately minimize external dependencies. The notepad's runtime has zero JavaScript dependencies. No React, no jQuery, no analytics SDK, no error reporter. Everything is vanilla HTML, CSS, and JavaScript served from our domain.
This is a security choice as much as a performance one. Every dependency is a potential supply-chain risk — see, for example, the 2018 event-stream incident, where a maliciously updated npm package siphoned cryptocurrency from users. With no dependencies, this category of attack is impossible.
How to verify everything yourself
Don't take our word for it. Verify each claim in your own browser:
1. Notes don't leave your browser
Open DevTools (F12) → Network tab → reload the notepad → type a long sentence. Watch the Network panel. No request appears containing your text.
2. No third-party domains are contacted
In the same Network panel, look at every request's Domain column. They should all show our domain — and nothing else.
3. The security headers are real
In the Network panel, click any request → Headers → Response Headers. You should see strict-transport-security, content-security-policy, x-content-type-options, and the others listed above.
4. There are no tracking cookies
DevTools → Application → Cookies → our domain. The list should be empty.
5. Shared links truly aren't transmitted
Open a share link with DevTools open. Look at the request URL in the Network tab. The portion after the # is missing — the browser stripped it before sending.
6. SSL/TLS is configured properly
Run our domain through SSL Labs' Server Test. We aim for an A or A+ rating.
What this doesn't protect against
Honesty is part of being trustworthy. Here's what our setup does not defend against:
- Someone with physical access to your device. If a person can open your browser, they can open your notes. Lock your computer when you walk away.
- Browser extensions you've installed. Extensions with broad permissions can read
localStoragefrom any site. Only install extensions you trust. - Clearing your browser data. If you clear cookies and site data, your notes are deleted. Use Ctrl+S to save important notes to disk, or File → Backup all notes for a full export.
- A device-level compromise. If your computer has malware, no browser-based privacy protection can save you. Run trustworthy software, keep your OS updated.
- Sharing the wrong link. If you send a share link to the wrong person, we can't take it back. Review what you're sharing before you hit send.
For genuinely sensitive information — passwords, financial details, medical records — use a tool designed for that purpose (a password manager, encrypted notes app, or local-only text editor). A browser-based notepad is great for the 99% of notes that don't need that level of protection.
Reporting security issues
If you find a security issue, please email us at security@example.com. Coordinated disclosure is appreciated — give us a reasonable window to fix the issue before public disclosure. We will credit reporters who follow responsible disclosure in the changelog of any fix.