Here's a URL: https://anon.li/d/abc123#U2FsdGVkX1... Enter fullscreen mode Exit fullscreen mode The thing after the # is an AES-256 encryption key. The server hosting the file behind abc123 cannot see it, cannot log it, and cannot reproduce it from anything else it stores. If the server gets owned tomorrow, the attacker walks away with encrypted blobs and nothing to decrypt them with. This isn't marketing copy. It's a property of HTTP that has been there since 1996 and that almost nobody uses for what it's good at. Let's pull on it. The HTTP fragment is special When your browser fetches https://example.com/page?foo=bar#section , here's what's actually sent over the wire: GET /page?foo=bar HTTP / 1.1 Host : example.com Enter fullscreen mode Exit fullscreen mode The #section part — the fragment identifier - never appears in the request line, never appears in headers, never reaches the origin server.…