URL Fragment Security
Why I can't see your key.
Your browser never sends the part of a URL after the #
to the server. That's how the HTTP protocol is built.
What's in the link
When you create a secret, you get a link like this:
What I See
https://secret.broker/reveal/ab12-cd34-ef56
I get the request for the secret ID and send back the encrypted data.
What You Keep
#x8z9-Key-123
This stays in your browser. It's the decryption key.
Why the fragment stays private
RFC 3986 defines the fragment as a client-only component. When your browser makes an HTTP request, it sends the path and query string to the server but strips the fragment. This behaviour is part of the HTTP specification, not a policy Secret.Broker sets.
Server logs, CDN logs, and proxy logs all record the URL that was requested. None of them include the fragment, because the fragment was never sent.
What about referrer headers?
When you click a link on a page, the browser may send a Referer header to the next site. Fragments are excluded from Referer headers by spec. Even if someone clicks an external link from the reveal page, the decryption key does not leak through the referrer.
Paranoid mode and fragments
In normal mode, the decryption key is in the fragment. In paranoid mode, the key is separated from the link entirely. You send the link through one channel and the key through another. Even the fragment-level separation is removed, because the key never appears in the URL at all.