Technical Security Whitepaper
Security Architecture & Cryptographic Design
Zero-Knowledge Secret Transmission — Design, Threat Model & Operational Controls
Abstract
This document describes the security architecture, cryptographic primitives, threat model, and operational controls underpinning the fetchOnce one-time secret sharing service. It is intended for security practitioners, compliance teams, and technically informed stakeholders evaluating fetchOnce for organisational use. The central property of this architecture is that the server is mathematically incapable of accessing stored secret content under any operational circumstance.
1. Executive Summary
fetchOnce is a zero-knowledge, one-time secret sharing service. It enables the secure transmission of sensitive credentials, tokens, and confidential data between parties without exposing that data to any server, intermediary, or network observer.
The central security property of fetchOnce is architectural rather than procedural: the server is mathematically incapable of reading stored secrets. Encryption is performed exclusively in the sender's browser using browser-native cryptographic APIs before any data transits the network. The decryption key is never transmitted to the server under any circumstances. The server stores only opaque ciphertext it cannot interpret.
Upon retrieval, the secret is atomically deleted from persistent storage in the same database transaction that returns the ciphertext to the authorised recipient. The deletion is immediate, permanent, and unrecoverable. There is no soft-delete, no backup retention of secret content, and no administrative pathway to retrieve a revealed secret.
This architecture eliminates an entire class of server-side data breach risk. A fully compromised server yields no usable plaintext. The cryptographic guarantee holds regardless of the operational security posture of the infrastructure.
2. Threat Model
2.1 Assets Under Protection
The primary asset is the plaintext secret content provided by the sender: passwords, API keys, private tokens, access credentials, and similar sensitive values. Secondary assets include metadata that could reveal usage patterns, though fetchOnce is designed to minimise even this.
2.2 Threat Actors Considered
| Actor | Capability | Mitigated? |
|---|---|---|
| Network observer (passive) | Intercepts traffic in transit | Yes — TLS + key never in request |
| Network observer (active MITM) | Intercepts and modifies traffic | Yes — TLS + HSTS + GCM integrity tag |
| Compromised server / database dump | Full read access to stored data | Yes — only ciphertext stored |
| Malicious server operator | Full control of infrastructure | Yes — encryption is client-side only |
| Server-side log analysis | Reads all server logs | Yes — key is in URL fragment, never logged |
| Unauthorised recipient (no link) | Attempts to enumerate secrets | Yes — random IDs + rate limiting |
| Replay attack (second reveal) | Attempts second retrieval | Yes — atomic delete on first reveal |
| CSRF attacker | Forces victim to reveal secret | Yes — HMAC-signed CSRF tokens |
| Brute-force / DoS | High-volume requests | Yes — per-IP rate limiting |
2.3 Out-of-Scope Threats
fetchOnce does not protect against: compromise of the sender's or recipient's device; keyloggers or malicious browser extensions on either endpoint; social engineering of the recipient; or interception of the out-of-band channel used to transmit the link. These threats are outside the scope of any server-side security control.
3. Cryptographic Architecture
3.1 Encryption Algorithm
All secret content is encrypted using AES-256-GCM (Advanced Encryption Standard, 256-bit key, Galois/Counter Mode). AES-GCM is an authenticated encryption with associated data (AEAD) scheme that simultaneously provides:
- Confidentiality — the plaintext cannot be recovered without the key
- Integrity — any modification to the ciphertext causes decryption to fail unconditionally
- Authenticity — the 128-bit authentication tag verifies the ciphertext was produced by the holder of the key
AES-256-GCM is the authenticated encryption standard recommended by NIST SP 800-38D and is approved under FIPS 140-2. It is the same algorithm used to secure TLS 1.3 connections.
3.2 Key Generation
A unique 256-bit AES key is generated for every secret using the browser's crypto.getRandomValues() API, which sources entropy from the operating system's cryptographically secure pseudorandom number generator (CSPRNG). No two secrets share a key. Keys are generated entirely within the sender's browser and are never transmitted to any server.
3.3 Initialisation Vector
Each encryption operation uses a fresh 96-bit (12-byte) initialisation vector (IV), also generated via crypto.getRandomValues(). The IV is prepended to the ciphertext before storage. GCM mode with a 96-bit IV is the NIST-recommended configuration and provides the strongest security guarantees for that mode.
3.4 Implementation
All cryptographic operations are performed using the browser's native Web Crypto API (window.crypto.subtle). No third-party cryptographic libraries are used. The Web Crypto API is implemented natively by the browser vendor and is not subject to supply chain attacks on JavaScript dependencies.
4. Key Management & Distribution
4.1 Key Confinement
The encryption key exists only in the sender's browser memory during the creation flow and in the recipient's browser memory during the reveal flow. It is never written to disk, never stored in browser storage (cookies, localStorage, sessionStorage, IndexedDB), and never transmitted to any server.
4.2 Key Distribution via URL Fragment
The key is encoded in base64url format and appended to the secret link as the URL fragment — the portion of the URL following the # character. URL fragments are explicitly excluded from HTTP request transmission by the HTTP/1.1 specification (RFC 7230) and all subsequent versions. Browsers do not include the fragment in the request URI sent to the server. The key therefore does not appear in:
- Server access logs
- Reverse proxy logs
- Network capture at the server
- CDN or load balancer logs
- Referrer headers on outbound navigation
4.3 Key Lifetime
The key is ephemeral. Once the recipient's browser has successfully decrypted the secret, the key has no further utility. The server-side record has been deleted. The key material in browser memory is garbage collected when the page is closed. No persistent copy of the key exists in any system under fetchOnce's control.
5. Data Lifecycle & Retention
5.1 What Is Stored
fetchOnce stores the minimum data necessary to operate the service:
| Field | Contents | Readable by server? |
|---|---|---|
| Secret ID | Random UUID | Yes — identifier only |
| Ciphertext | AES-256-GCM encrypted blob | No |
| Created at | UTC timestamp | Yes |
| Expires at | UTC timestamp | Yes |
Key names, secret values, sender identity, recipient identity, and IP addresses are not stored in association with secret records.
5.2 Reveal & Deletion
When a recipient reveals a secret, the server executes a single atomic database transaction that reads the ciphertext and deletes the record. These two operations are not separable: there is no system state in which the ciphertext has been returned to a client but the record has not been deleted. A second request for the same secret ID returns HTTP 404 unconditionally.
5.3 Expiry
Each secret carries an expiration timestamp set at creation time, between one hour and seven days. A background process periodically sweeps for expired records and deletes them permanently. An expired secret cannot be retrieved, revealed, or recovered by any means.
5.4 Deletion Permanence
Deleted records are not retained in any backup, recycle bin, or soft-delete state. There is no administrative interface through which a deleted secret may be recovered. The deletion is final.
6. Transport Security
All traffic between clients and the fetchOnce service is protected by TLS 1.2 or higher, with TLS 1.3 preferred. The following HTTP security headers are enforced on all responses:
| Header | Value & Purpose |
|---|---|
Strict-Transport-Security | max-age=63072000; includeSubDomains; preload — enforces HTTPS for two years including subdomains |
Content-Security-Policy | Restricts resource loading to same-origin; prohibits inline script execution; enforces Trusted Types |
X-Frame-Options | DENY — prevents clickjacking via iframe embedding |
X-Content-Type-Options | nosniff — prevents MIME type sniffing attacks |
Referrer-Policy | no-referrer — prevents the URL (and embedded key fragment) from appearing in Referer headers |
Cross-Origin-Opener-Policy | same-origin — prevents cross-origin window access |
Permissions-Policy | Disables camera, microphone, geolocation, and payment APIs |
7. Infrastructure Security
7.1 Reverse Proxy Architecture
The application tier communicates with the reverse proxy over a Unix domain socket rather than a TCP network interface. This eliminates the network attack surface between the proxy and application layers entirely. The application process is not reachable from any network interface directly.
7.2 Container Hardening
The application runs inside a minimal Alpine Linux container built using a multi-stage Docker build. The runtime image contains no compiler, no build toolchain, no package manager, and no shell utilities beyond what is strictly required for operation. Specific hardening measures include:
- Process runs as a dedicated non-root user with no login shell
- Application source files are mounted read-only (
chmod 444) dumb-initserves as PID 1, ensuring correct signal propagation and zombie process reaping- Container resource limits constrain memory and CPU consumption
7.3 Dependency Management
All container images are scanned for known vulnerabilities using Trivy prior to deployment. Images containing HIGH or CRITICAL severity CVEs with available fixes are blocked from deployment automatically. Base images are pinned to specific Alpine Linux versions to prevent supply chain substitution.
7.4 Deployment Pipeline
All code changes are deployed through an automated CI/CD pipeline that enforces the following gate sequence: build, vulnerability scan, database migration, deployment. No code reaches production without passing each gate. Database schema changes are applied atomically via Alembic migrations before the new application version receives traffic.
8. Application-Level Controls
8.1 CSRF Protection
All state-mutating endpoints (secret creation and revelation) require a valid Cross-Site Request Forgery token. Tokens are HMAC-SHA256 signed with a server-side secret, include a random nonce and an embedded timestamp, and expire after one hour. Validation uses constant-time comparison to prevent timing oracle attacks. Tokens are single-use in practice, as each page load generates a fresh token.
8.2 Rate Limiting
A per-IP sliding window rate limiter is applied to all creation and reveal endpoints. Requests exceeding the threshold receive HTTP 429 with a Retry-After header. The limiter includes a periodic sweep to remove stale entries, preventing unbounded memory growth under sustained attack traffic.
8.3 Input Validation
All API inputs are validated against typed Pydantic schemas before processing. Encrypted payload size is bounded to prevent storage exhaustion. Secret IDs are validated against an allowlist pattern before database lookup to prevent injection attacks.
8.4 Request Correlation
Every request is assigned a unique X-Request-ID that propagates through all log entries for that request. This enables forensic correlation of related log events across the application and proxy layers without requiring any identifying user data.
9. Privacy & Data Minimisation
fetchOnce is designed around the principle of data minimisation. The service collects no personally identifiable information about senders or recipients. Specifically:
- No user accounts, registration, or authentication is required
- No cookies are set on any client
- No analytics, telemetry, or tracking mechanisms are employed
- IP addresses are present in operational access logs but are not correlated with or stored alongside secret records
- The only third-party resource loaded is Google Fonts for typography, subject to Google's standard privacy policy
Because the service stores no personal data associated with individuals, data subject access requests, right-to-erasure requests, and similar GDPR/CCPA obligations are straightforwardly satisfied: there is no personal data to return or delete.
10. Compliance Considerations
The tables below map fetchOnce's implemented controls to the requirements of major security and compliance frameworks. fetchOnce has not undergone formal third-party audit against any of these frameworks. The mappings represent design alignment and are provided to assist evaluators in determining applicability to their compliance programmes.
10.1 SOC 2 Type II — Trust Services Criteria
SOC 2 evaluates controls across five Trust Services Criteria categories. The following criteria are relevant to a zero-knowledge secret transmission service:
| Criteria | Criterion | fetchOnce Control | Status |
|---|---|---|---|
| CC6.1 | Logical access security measures | Access controlled solely by possession of the cryptographic link; no accounts required | Implemented |
| CC6.1 | Encryption of data at rest | AES-256-GCM client-side encryption; server stores only opaque ciphertext | Implemented |
| CC6.7 | Transmission confidentiality | TLS 1.3 enforced; HSTS with two-year max-age and preload directive | Implemented |
| CC6.8 | Prevention of unauthorised access | Per-IP rate limiting; CSRF token validation; secret ID entropy prevents enumeration | Implemented |
| CC7.2 | System monitoring | Structured JSON logging; X-Request-ID correlation; /healthz DB connectivity check | Implemented |
| CC8.1 | Change management | CI/CD pipeline with mandatory Trivy vulnerability scan before each deployment | Implemented |
| CC9.2 | Vendor and supply chain risk | Trivy image scanning; minimal Alpine base with no build toolchain at runtime | Implemented |
| A1.1 | Availability commitments | Health check endpoint; automated container restart; database failover detection | Implemented |
| P3.1 | Data minimisation | No PII collected or retained; IP addresses not stored with secret records | Implemented |
| P4.1 | Data retention and disposal | Atomic delete on reveal; TTL-based expiry sweep; no soft-delete or backup retention | Implemented |
10.2 NIST SP 800-53 Rev 5
NIST SP 800-53 is the US federal information security control catalogue, forming the basis of FedRAMP. The following control families are relevant to fetchOnce's architecture:
| Control ID | Control Name | fetchOnce Implementation |
|---|---|---|
| AC-2 | Account Management | No user accounts; access model is anonymous possession of a cryptographic link |
| AC-17 | Remote Access | All remote access over TLS 1.2+; HSTS prevents downgrade |
| AU-2 | Event Logging | All requests produce structured JSON log entries with timestamp, method, path, status, and X-Request-ID |
| AU-9 | Protection of Audit Information | Logs written to stdout; collected by container orchestrator; not modifiable by application |
| IA-5 | Authenticator Management | Authentication by cryptographic link possession; no passwords, tokens, or credentials managed server-side |
| SC-8 | Transmission Confidentiality & Integrity | TLS 1.3 preferred; certificate managed by Caddy with automatic renewal |
| SC-12 | Cryptographic Key Establishment | 256-bit keys generated in browser via CSPRNG; never transmitted to server |
| SC-13 | Cryptographic Protection | AES-256-GCM (FIPS 197); HMAC-SHA256 (FIPS 198-1); TLS 1.3 (RFC 8446) |
| SC-28 | Protection of Information at Rest | Stored data is AES-256-GCM ciphertext; decryption key never present on server |
| SI-2 | Flaw Remediation | Trivy vulnerability scanning blocks deployment on HIGH/CRITICAL CVEs |
| SI-10 | Information Input Validation | Pydantic schema validation on all API inputs; payload size bounds enforced |
| SI-12 | Information Management and Retention | Atomic deletion on reveal; configurable TTL expiry; no retention of secret content |
| SR-3 | Supply Chain Controls | Multi-stage Docker build; runtime image contains no build toolchain; pinned base image versions |
10.3 HITRUST CSF v11
The HITRUST Common Security Framework is widely adopted in healthcare and financial services. The following control categories are relevant to fetchOnce:
| Category | Control Reference | fetchOnce Implementation |
|---|---|---|
| Information Protection Program | 00.a | Security architecture documented in this whitepaper; annual review cycle |
| Access Control | 01.a | Access granted by link possession only; no user provisioning or de-provisioning required |
| Access Control | 01.d | Per-IP rate limiting prevents brute-force enumeration of secret identifiers |
| Audit Logging | 09.aa | Structured request logging with correlation IDs on all endpoints |
| Cryptographic Controls | 09.ab | AES-256-GCM encryption; NIST-approved key lengths and modes |
| Key Management | 09.ac | Keys generated client-side via Web Crypto API; never transmitted or stored server-side |
| Network Controls | 09.m | Unix socket between proxy and application; no direct network exposure of application process |
| Electronic Messaging | 09.v | Only ciphertext transits the network; server cannot read transmitted content |
| Application Security | 10.a | CSRF protection; input validation; Secret IDs validated against allowlist pattern |
| System Development | 10.k | Automated CI/CD pipeline; vulnerability scanning gate before production deployment |
| Data Minimisation | 19.a | No PII collected; ciphertext not attributable to individuals without the key |
10.4 FedRAMP Baseline Alignment
FedRAMP applies NIST SP 800-53 controls at Low, Moderate, and High impact baselines for US federal cloud services. fetchOnce has not undergone FedRAMP authorisation. The table below indicates alignment of implemented controls with each baseline level for the relevant control families:
| Control Family | Low Baseline | Moderate Baseline | High Baseline |
|---|---|---|---|
| Access Control (AC) | Aligned | Aligned | Not assessed |
| Audit & Accountability (AU) | Aligned | Aligned | Not assessed |
| Identification & Authentication (IA) | Aligned | Partial — no MFA (N/A by design) | Not assessed |
| System & Comms Protection (SC) | Aligned | Aligned | Not assessed |
| System & Info Integrity (SI) | Aligned | Aligned | Not assessed |
| Supply Chain Risk (SR) | Aligned | Aligned | Not assessed |
| Incident Response (IR) | Partial — responsible disclosure policy in place; no formal IR plan documented | Not assessed | Not assessed |
| Contingency Planning (CP) | Partial — database backups managed at infrastructure level; no formal BCP document | Not assessed | Not assessed |
Agencies considering fetchOnce for Low or Moderate impact workloads should conduct an independent assessment against the full applicable control baseline. High impact workloads require formal FedRAMP authorisation with a third-party assessment organisation (3PAO).
10.5 GDPR
fetchOnce does not act as a data processor in the GDPR sense with respect to secret content, because it never has access to that content. The service processes only the ciphertext, which is not personal data within the meaning of GDPR Article 4(1) as it cannot be attributed to an identifiable natural person by fetchOnce or any party without the key.
10.6 HIPAA
Organisations subject to HIPAA should evaluate whether transmitting protected health information via fetchOnce is appropriate for their compliance posture. The zero-knowledge architecture means fetchOnce cannot read, use, or disclose PHI stored through the service. However, formal HIPAA BAA coverage and independent compliance assessment are the responsibility of the covered entity.
11. Responsible Disclosure
fetchOnce welcomes responsible disclosure of security vulnerabilities. If you identify a potential security issue, please report it to the address listed in our security.txt file. We commit to acknowledging reports promptly and working in good faith toward resolution before public disclosure.
We ask that you do not publicly disclose vulnerability details before we have had a reasonable opportunity to investigate and respond, and that you do not exploit any identified vulnerability against live user data.
Appendix: Cryptographic Primitive Reference
| Primitive | Specification | Purpose |
|---|---|---|
| AES-256-GCM | NIST SP 800-38D, FIPS 197 | Secret encryption and authentication |
| CSPRNG | W3C Web Crypto API / OS entropy | Key and IV generation |
| HMAC-SHA256 | RFC 2104, FIPS 198-1 | CSRF token signing |
| TLS 1.3 | RFC 8446 | Transport encryption |
| base64url | RFC 4648 §5 | Key encoding in URL fragment |