nofile.in anonymous | ephemeral | secure

About nofile.in

nofile.in is a minimalist tool for sharing files without handing over your data. Everything is encrypted in the browser, links expire quickly, and the key never leaves the client.

Why it exists

We built nofile.in for incidents, quick audits, press tips, and any moment when you need to send files without creating accounts or trusting another analytics pipeline. The interface is intentionally quiet so you can focus on the upload.

  • Anonymous uploads without registration
  • Short-lived links and optional self destruct
  • Zero knowledge architecture, even metadata is limited
  • Dark, accessible design tuned for low light environments

How encryption works

  1. Generate key pairs

    The browser uses Web Crypto to produce a random AES-GCM key plus a fresh IV for every chunk.

  2. Encrypt then upload

    Chunks are encrypted before leaving your device. The server receives only ciphertext, filename, MIME type, and basic retention settings.

  3. Share full link

    The encryption key is base64url encoded and placed after the # fragment. This fragment never touches the server or logs.

  4. Decrypt locally

    Recipients fetch ciphertext, extract the key from the fragment, and decrypt in their browser. Remove the fragment and the file stays unreadable.

What we store

The server keeps only the metadata required to deliver files and enforce retention windows:

  • Encrypted slices produced by your browser
  • Filename, MIME type, size, and retention settings
  • Optional salted password hash when you set a download password
  • Timestamps, download counter, and the deletion token saved in your localStorage

Encryption keys never leave the browser. IP addresses are logged when uploads start to satisfy legal retention rules.

Logging and analytics

Operational logs capture a minimal tuple of timestamp, originating IP, HTTP verb, and route so we can debug issues. We do not log fragments or decrypted content, and we do not embed third-party analytics pixels.

Service health relies on aggregated metrics only—no per-user analytics.

Cookies and local data

nofile.in relies on localStorage to remember uploads created from your current browser. The list contains the moderation token needed to delete files later. Session cookies exist only when you authenticate through LDAP, HTTP headers, or htpasswd integrations.

We do not set tracking cookies.

Abuse and takedowns

Use the report button on any file page or reach out via shubham@hostmycode.in with the file ID, filename, and link. Reported files are reviewed quickly and removed when they violate the law or our terms. Deleting a file removes its ciphertext immediately from storage.

Responsible use

You are accountable for the content you upload. Do not send malware, illegal material, or anything that violates rights or contracts. Administrators act on abuse reports promptly—use the in-app report button or email us if something looks off.

Keep the fragment secret. Sending screenshots or shortened links often strips the fragment and renders the file unusable for recipients. If you must share the link without the key, send the fragment over a separate channel.

Contact & transparency

Questions or security feedback are welcome at shubham@nofile.in.

Abuse reports and urgent issues: shubham@hostmycode.in

Last updated: 8 November 2025.