Frequently Asked Questions

HexBurn is a free online privacy-first platform for sending self-destructing encrypted messages, PDFs, and secure communications. It uses military-grade AES-256-GCM encryption directly in your browser to encrypt your messages before creating a shareable link. When the recipient opens the link, the message is decrypted in their browser and immediately destroyed after reading. No data is ever stored on servers, ensuring complete privacy and GDPR compliance.

No account required. HexBurn is completely free and works without any registration, sign-up, or login. Simply visit the website, create your encrypted message, and share the generated link. This zero-account architecture ensures maximum privacy since we never collect personal information, email addresses, or user data.

Yes, HexBurn is 100% free forever with no hidden costs, premium tiers, or paid features. All encryption features, self-destructing messages, PDF burning, time capsules, and P2P chat are completely free to use without limitations. We believe privacy is a fundamental right, not a premium feature.

To send a self-destructing encrypted message: 1) Click "Self-Destruct Message" on the homepage, 2) Type your confidential message, 3) Optionally add a passphrase for extra security, 4) Click "Encrypt & Create Link", 5) Share the generated secure URL with your recipient. Once they open and read the message, it will burn automatically and become permanently inaccessible.

HexBurn works on all modern browsers including Chrome, Firefox, Safari, Edge, and Opera on desktop, tablet, and mobile devices. The platform uses the Web Crypto API built into modern browsers, so it works seamlessly on Windows, Mac, Linux, iOS, and Android without requiring any app installation or downloads.

Yes, HexBurn is a web-based application that requires no installation, no downloads, and no browser extensions. Simply visit the website from any modern browser and start encrypting messages immediately. This makes HexBurn perfect for quick, on-the-go secure messaging without the hassle of app installations.

You can send your first encrypted message in under 30 seconds. Just visit HexBurn, type your message, click encrypt, and share the link. No tutorials, no account setup, no configuration needed. The interface is designed for instant, intuitive use.

No. HexBurn is designed to be as simple as sending a regular text message. If you can copy and paste a link, you can use HexBurn. The interface uses familiar patterns and provides helpful tooltips for advanced features like passphrases and time capsules.

HexBurn uses AES-256-GCM (Advanced Encryption Standard with Galois/Counter Mode), the same military-grade encryption standard used by governments, banks, and intelligence agencies worldwide. This encryption happens entirely in your browser using the Web Crypto API, meaning your data is encrypted before leaving your device. The encryption keys are generated randomly for each message and included only in the URL fragment, which never reaches our servers.

No. It is cryptographically impossible for HexBurn to see, read, or access your messages. All encryption and decryption happen entirely in your browser using client-side JavaScript. The encrypted data is stored in the URL fragment (after the # symbol), which browsers never send to servers. We literally cannot access your data even if we wanted to - this is true zero-knowledge architecture.

HexBurn is 100% GDPR, CCPA, LGPD, and POPIA compliant by design. We collect zero personal data, use no cookies, no tracking scripts, no analytics, and no third-party integrations that could compromise privacy. Since all processing happens client-side in your browser and we never store user data on servers, there is no data to breach, leak, or misuse. This makes HexBurn one of the most privacy-friendly communication tools available.

Self-destructing messages on HexBurn burn after reading, meaning they can only be opened once. After the first view, the decryption keys are permanently destroyed from memory and the message becomes unrecoverable. Any subsequent attempts to access the same URL will show an error indicating the message has already been burned. This ensures messages cannot be read multiple times or forwarded after viewing.

No. Since HexBurn uses zero-knowledge encryption and stores nothing on servers, there is no data to subpoena, request, or access. Messages exist only as encrypted data in URLs, and once burned, they are permanently deleted with no backups or recovery options. Even with legal demands, we cannot provide access to messages because we never have access ourselves.

Zero-knowledge encryption means the service provider (HexBurn) has zero knowledge of your data. All encryption keys are generated in your browser, encryption happens on your device, and the encrypted content is stored in the URL without ever touching our servers. This architecture ensures that only you and your intended recipient can decrypt and read the message, with no third party having access.

HexBurn is served over HTTPS (SSL/TLS) encryption, preventing man-in-the-middle attacks during transmission. Additionally, since all cryptographic operations happen in your browser using the Web Crypto API, the encryption keys never transit the network. The P2P chat feature includes ECDH key exchange with fingerprint verification for maximum MITM protection. For regular messages, you can add a passphrase that you share with the recipient through a separate secure channel, adding defense-in-depth protection.

No. HexBurn uses absolutely no cookies, no tracking pixels, no analytics scripts, no fingerprinting, and no third-party advertising networks. We do not track your IP address, browser information, or any behavioral data. The website is completely cookie-free and tracking-free, ensuring maximum privacy for all users.

Yes, significantly safer. Regular email transmits messages in plain text (unless using PGP/S/MIME), stores copies on multiple servers, and leaves permanent records. HexBurn encrypts messages with AES-256 before transmission, stores nothing on servers, and burns messages after reading. Even if email servers are compromised, old emails remain accessible, while HexBurn messages are destroyed permanently.

HexBurn messages are protected by AES-256-GCM encryption, which is computationally infeasible to break with current technology. Even if a hacker intercepts the encrypted data, they cannot decrypt it without the encryption key embedded in the URL fragment. Additionally, HTTPS protects the transmission, and burn-after-reading ensures even if someone gains access later, the message is already destroyed.

HexBurn follows industry-standard security practices including NIST SP 800-56A (ECDH), NIST SP 800-38D (AES-GCM), NIST SP 800-108 (HKDF), FIPS 180-4 (SHA-256), and RFC 2104 (HMAC). While we do not hold commercial certifications like SOC2 or ISO 27001, our open-source code allows independent security audits. The cryptographic implementation uses browser-native Web Crypto API, which is audited by browser vendors.

Current quantum computers cannot break AES-256 encryption. While quantum computers pose theoretical risks to some asymmetric encryption (like RSA), AES-256 symmetric encryption remains quantum-resistant. HexBurn's AES-256-GCM implementation would require quantum computers with far more qubits than currently exist or are projected to exist in the near future. For additional quantum resistance, the P2P chat uses ECDH P-384, which offers better post-quantum security than smaller curves.

Time capsule messages are encrypted messages that unlock on a specific future date. You create the message, set an unlock date (hours, days, months, or years in the future), and share the link. The recipient can access the link immediately, but the message remains cryptographically locked until the unlock time arrives. This is perfect for birthday surprises, scheduled announcements, future reminders, or delayed revelations. The time-locking happens entirely client-side using encrypted timestamps.

Yes. HexBurn PDF lets you upload PDF documents that are encrypted client-side in your browser and burn after a single view. The PDF is converted to encrypted data that never touches our servers, then rendered directly from the encrypted format using PDF.js when the recipient opens the link. After viewing, the PDF is permanently destroyed. This is perfect for confidential contracts, NDAs, sensitive reports, or any document that should be read once and destroyed.

HexBurn P2P Chat establishes a direct peer-to-peer connection between two browsers using WebRTC technology with bulletproof end-to-end encryption. Messages are sent directly from your browser to the recipient's browser without passing through any servers. The chat uses ECDH P-384 key exchange, AES-256-GCM encryption, HMAC-SHA256 authentication, and includes fingerprint verification to prevent man-in-the-middle attacks. Optional self-destruction for every message ensures truly ephemeral conversations with no chat history stored anywhere.

When creating a message, look for the "Add Passphrase" or "Optional Passphrase" field. Enter a strong passphrase that you will share with the recipient separately (via phone call, SMS, or in-person). The message is then double-encrypted: first with AES-256-GCM and then with your passphrase using PBKDF2 key derivation with 200,000 iterations. Only someone with both the link AND the passphrase can decrypt the message. Share the passphrase through a different communication channel than the link for maximum security.

No. HexBurn does not track message views, read receipts, or any analytics. This is by design to maintain complete privacy and anonymity. Once you share a link, there is no way to know if or when it was opened. This zero-tracking approach ensures the sender's privacy as well as the recipient's, with no metadata collection whatsoever.

Secure Link allows you to create encrypted URLs for any external website or resource. Enter any URL, and HexBurn generates an encrypted link that reveals the destination only when opened. This is useful for sharing links anonymously, preventing link preview tracking, bypassing URL filters, or creating self-destructing access to web resources. The destination URL is encrypted client-side and only decrypted when the recipient opens the link.

Messages are not stored at all. The encrypted data exists only in the URL you share, embedded as a URL fragment (the part after #). This fragment is never sent to servers by browsers. For messages that haven't been burned yet, the data persists only as long as the URL exists. Once a message is opened and burned, it is permanently deleted from memory with no server-side storage or backups ever created.

No. Once you share the encrypted link, you cannot recall or delete it remotely because there is no server-side storage. However, the message can only be read once before self-destructing, and without the URL (or if you added a passphrase, without that passphrase), the message cannot be decrypted. If you need revocable messages, consider using the time capsule feature with a short expiration time.

Text messages can be up to several megabytes in length (typically 1-2 million characters). For PDFs, the practical limit depends on browser memory and URL length constraints, but most PDFs under 10-15 MB work well. Very large files may cause performance issues in the browser during encryption and decryption. For optimal performance, keep messages under 100KB and PDFs under 5 MB.

Currently, HexBurn supports text messages and PDF documents. Images, videos, and other file types are not directly supported. However, you can embed base64-encoded images in text messages (advanced users), or use the PDF feature to convert other documents to PDF format before encrypting. Future updates may expand supported file types.

When you create a message, HexBurn automatically generates a QR code option. Click the "Show QR" button to display a QR code containing the encrypted message link. Recipients can scan this QR code with their smartphone camera to instantly access the message. This is perfect for in-person sharing, printed materials, or sharing at events without typing long URLs.

No. Once the encrypted link is generated, the message is immutable and cannot be edited. This is a security feature - immutability ensures message integrity and prevents tampering. If you need to send a corrected message, create a new encrypted message with the correct content and share the new link.

The encrypted message link contains all the data needed to decrypt the message. As long as you copy the full URL (including the part after the # symbol), you can close your browser and share the link later. The message persists in the URL itself. However, if you lose the URL, the message is permanently inaccessible with no recovery option.

Yes. HexBurn links are standard URLs that can be shared through any communication channel including email, SMS, messaging apps (WhatsApp, Telegram, Signal), social media DMs, or even printed on paper. The security comes from the encryption, not the transmission channel. For maximum security, use encrypted email or messaging apps, and consider adding a passphrase shared through a different channel.

No. Each message burns after the first view, so it can only be read by one person. If you need to send the same message to multiple people, you must create separate encrypted messages for each recipient. This ensures true burn-after-reading behavior and prevents unauthorized redistribution.

Yes. Before creating the encrypted link, you can review your message content. After encryption, you can test the link yourself (though this will burn the message). For important messages, consider creating a test message first to verify everything works as expected, then create the real message for your recipient.

HexBurn uses AES-256-GCM (Advanced Encryption Standard with 256-bit keys in Galois/Counter Mode). GCM mode provides both encryption and authentication, protecting against tampering and ensuring data integrity. For passphrase protection, we use PBKDF2 (Password-Based Key Derivation Function 2) with 200,000 iterations and SHA-256 to derive encryption keys from passwords. The P2P chat additionally uses ECDH P-384 for key exchange, HKDF-SHA384 for key derivation, and HMAC-SHA256 for message authentication. All cryptographic operations use the browser's native Web Crypto API.

Encryption keys are generated using cryptographically secure random number generation (crypto.getRandomValues) directly in your browser. Each message gets a unique 256-bit AES key that is generated at the moment of encryption. This key, along with the initialization vector (IV), is embedded in the URL fragment after encryption. When decrypting, the key and IV are extracted from the URL fragment and used to decrypt the message, then immediately cleared from memory after burning. Keys never persist in localStorage, cookies, or any storage mechanism.

The URL contains the encrypted message data, encryption key, initialization vector, and metadata all encoded in the fragment (after the # symbol). Encryption increases data size due to authentication tags and encoding overhead. Longer messages create longer URLs. For very long messages or large PDFs, HexBurn may compress data before encryption to reduce URL length. The fragment-based storage is essential for zero-server-knowledge architecture. URLs are typically 2-3x longer than the original plaintext due to encryption and encoding.

Yes, HexBurn is open source and available for review on GitHub. All code is publicly available for security audits, code reviews, and verification. This transparency allows security researchers and privacy advocates to verify that the encryption works as claimed, with no backdoors, tracking, or hidden data collection. Open source is essential for trustworthy security tools. You can fork, audit, and even self-host HexBurn if desired.

Signal, WhatsApp, and Telegram are messaging apps that require installation and account creation with phone numbers. HexBurn is a web-based tool with no accounts, no installation, and no persistent storage. While those apps offer ongoing conversations, HexBurn specializes in one-time, self-destructing messages with guaranteed burn-after-reading. HexBurn uniquely offers time capsule messages, self-destructing PDFs, and bulletproof P2P chat - features not available together in any other platform. Use Signal for ongoing conversations with known contacts; use HexBurn for anonymous, temporary, self-destructing messages.

Creating messages requires internet connectivity to load the HexBurn website and encryption libraries initially. However, once loaded, the encryption happens entirely client-side without internet. Decrypting and viewing messages requires loading the website initially, but the decryption process itself is client-side. Progressive Web App (PWA) support for true offline functionality may be added in future updates.

Since HexBurn is open source, you can review the code and implement similar encryption in your own projects using the Web Crypto API. The encryption functions can be extracted and used in other applications. However, HexBurn does not currently offer an official public API or embeddable widgets. For integration needs, we recommend linking to HexBurn or implementing the encryption patterns from our open source code with proper attribution.

The link contains all the information needed to decrypt the message, including the encryption key in the URL fragment. If you lose the link, the message is permanently inaccessible with no recovery option. HexBurn has no server-side storage, backups, or recovery mechanisms. Make sure to share the link with your recipient before closing the browser, and consider saving it temporarily until confirmed received.

HexBurn sanitizes all user input before rendering to prevent Cross-Site Scripting (XSS) attacks. Message content is treated as plain text, not executable code. HTML tags and JavaScript are escaped and rendered safely as text. The encryption layer adds another defense since tampering with the encrypted data causes decryption failure due to authentication tags. Content Security Policy (CSP) headers restrict script execution to trusted sources only.

While HexBurn does not use traditional user accounts or MFA, you can add additional security through passphrases. Use a strong passphrase when creating messages and share it with the recipient through a separate secure channel (phone call, encrypted email, in person, or different messaging app). This creates two-factor security: something they have (the link) and something they know (the passphrase). The P2P chat includes fingerprint verification for session authentication.

The URL fragment is the part after the # symbol in a URL. Crucially, browsers never send the fragment to web servers - it remains local to the client. HexBurn stores all encrypted data in the fragment, ensuring that even HexBurn servers never see your encrypted messages. This architectural choice is fundamental to zero-knowledge encryption. When you visit a HexBurn link, the server sends the decryption page, but the encrypted data in the fragment never leaves your browser.

Yes. Since HexBurn is open source and entirely client-side, you can download the code and host it on your own server or even run it locally. The application requires only static file hosting (HTML, CSS, JavaScript) with no backend services, databases, or server-side processing. Self-hosting provides additional assurance that the code hasn't been tampered with and gives you complete control over the infrastructure.

HexBurn uses several modern Web APIs: Web Crypto API (encryption/decryption), WebRTC (P2P chat), File API (PDF handling), Canvas API (QR codes), Web Workers (background processing for large files), and standard DOM APIs. All these are built into modern browsers with no external dependencies. This ensures HexBurn works without third-party libraries for core cryptographic operations.

Since HexBurn has no server-side processing or storage, traditional rate limiting is not needed. The client-side architecture means abuse has minimal impact on infrastructure. Malicious users could create many encrypted messages, but these cost nothing to generate and store since they exist only in URLs. For the P2P chat, WebRTC connections are peer-to-peer, preventing server-side DoS attacks.

No. HexBurn is self-contained with all resources (JavaScript, CSS, fonts, icons) served from HexBurn infrastructure only. We do not use Google Fonts, external CDNs, analytics services, or any third-party integrations that could compromise privacy or security. The only external services are STUN/TURN servers for P2P chat NAT traversal, which handle only connection metadata, never message content.

Yes. HexBurn works perfectly on iOS devices (iPhone and iPad) using Safari, Chrome, Firefox, or Edge mobile browsers. All features including encryption, decryption, PDF viewing, and P2P chat work on iOS. Simply visit HexBurn from your mobile browser - no app installation needed. The responsive design adapts to all iPhone and iPad screen sizes.

Yes. HexBurn is fully compatible with Android devices using Chrome, Firefox, Samsung Internet, Edge, or other modern mobile browsers. All features work identically to desktop, including encrypted messages, time capsules, PDF burning, and P2P chat. The mobile interface is touch-optimized for easy use on smartphones and tablets.

No dedicated mobile app is required or available. HexBurn is a responsive web application that works perfectly in mobile browsers. Web-first architecture ensures you always have the latest features and security updates without app store delays, approval processes, or manual updates. Simply bookmark HexBurn in your mobile browser for instant access.

HexBurn requires a modern browser with Web Crypto API support. Most smartphones from 2017 or newer work well. Specifically: iOS 11+ (iPhone 5s and newer), Android 6.0+ (most devices from 2015+), and modern mobile browsers. Very old devices may lack necessary cryptographic APIs. If your browser supports HTTPS and has the Web Crypto API, HexBurn will work.

Yes. HexBurn works excellent on tablets including iPad, iPad Pro, Samsung Galaxy Tab, Microsoft Surface, and other tablet devices. The responsive design adapts to tablet screen sizes, providing an optimized experience between mobile and desktop. All features are fully functional on tablets with touch-optimized controls.

HexBurn uses a dark theme by default on all devices, providing an OLED-optimized interface that saves battery on mobile devices and reduces eye strain. The cyberpunk-inspired dark navy interface works beautifully on OLED/AMOLED screens found in modern smartphones, providing deep blacks and vibrant accent colors.

Yes. HexBurn links work perfectly when shared through WhatsApp, iMessage, Telegram, Signal, Facebook Messenger, Discord, Slack, or any other messaging app. Simply copy the encrypted link and paste it into your preferred messaging app. Recipients can tap the link to open it directly in their mobile browser.

Yes. HexBurn is cross-platform and works on all desktop operating systems including Windows (7, 8, 10, 11), macOS (10.12+), Linux (all distributions), and Chrome OS. Use any modern browser (Chrome, Firefox, Safari, Edge, Opera, Brave) on any operating system. The experience is consistent across all platforms.

HexBurn is completely free. Zero cost, forever. No trial period, no premium plans, no hidden fees, no credit card required. All features including unlimited messages, PDF encryption, time capsules, and P2P chat are free without restrictions. Privacy should not have a price tag.

No. HexBurn has no paid plans, no premium tiers, no pro versions, and no subscription options. Every feature is free for everyone, always. We will never gate features behind paywalls or require payment for advanced functionality. This is a privacy tool, not a business model.

Yes. HexBurn is committed to being free forever. The client-side architecture means minimal server costs, making the free model sustainable long-term. Even as we add features, they will remain free. Privacy and security tools should be accessible to everyone regardless of financial means.

HexBurn currently operates without monetization. The project is passion-driven with focus on privacy advocacy. Potential future sustainability models could include optional donations, sponsorships from privacy-focused organizations, or enterprise support services - but the core tool will always remain free for everyone.

No. HexBurn has no limits on number of messages, message length (within browser constraints), number of PDFs, or usage frequency. You can send unlimited encrypted messages, create unlimited time capsules, and use P2P chat as much as you want. No throttling, no quotas, no restrictions.

No. Donations are never required. HexBurn is free to use without any obligation to contribute financially. If you find HexBurn valuable and want to support development, voluntary donations may be accepted, but they are never mandatory for access to features or services.

Yes. HexBurn is free for commercial use, businesses of any size, enterprises, organizations, and commercial projects. No business licenses, enterprise agreements, or commercial fees are required. Use HexBurn freely for internal communications, client interactions, or any business purpose.

Encryption is near-instant for typical text messages (under 100KB). Small messages encrypt in 10-50 milliseconds on modern devices. The Web Crypto API uses hardware acceleration when available, making encryption very fast. Large PDFs (5-10 MB) may take 1-3 seconds to encrypt depending on device performance.

Yes. Larger messages take longer to encrypt. Text messages up to 100KB encrypt almost instantly. Messages 100KB-1MB take 100-500ms. Very large messages (1MB+) or large PDFs may take several seconds. Encryption speed scales roughly linearly with data size and depends on device CPU performance.

Decryption requires cryptographic operations that are CPU-intensive. Older devices with slower processors take longer. The Web Crypto API uses hardware acceleration when available, but older devices lack these features. For best performance, use devices from 2017 or newer. Consider using shorter messages or compressed PDFs on older hardware.

Yes. After the initial page load, HexBurn works with minimal or no internet connection since all processing is client-side. Encryption and decryption happen locally in your browser. Slow internet only affects initial page load time. Once loaded, you can create and decrypt messages even offline (though sharing requires connectivity).

HexBurn works on low-end devices, but performance may be reduced for large files. Text messages encrypt quickly on all devices. Large PDFs may strain memory on devices with limited RAM. For optimal experience on low-end hardware, keep messages under 100KB and PDFs under 2MB. The interface is lightweight and optimized for performance.

Browser URL length limits vary: Chrome/Edge support ~2MB URLs, Firefox ~64KB, Safari ~80KB. For maximum compatibility, keep messages under 50KB plaintext (which results in URLs under 100KB encrypted). Very large messages may work in some browsers but fail in others. Consider splitting very large content or using PDF feature.

Yes. After initial page load (~500KB-1MB with caching), HexBurn uses minimal data. Encrypted messages exist in URLs with no additional data transfer. No tracking, analytics, or third-party requests mean zero background data usage. Perfect for mobile users with limited data plans.

HexBurn can work in censored environments, but availability depends on whether HexBurn's domain is blocked. The zero-knowledge architecture means even if accessed, no user data is exposed. For high-censorship regions, consider accessing HexBurn through VPN or Tor. Self-hosting is also possible for regions where the main site is blocked.

Yes. HexBurn supports full Unicode and works with all languages including Chinese, Arabic, Russian, Japanese, Korean, Hindi, and all other languages. Encryption works identically for all character sets and alphabets. Right-to-left languages, complex scripts, and emoji are all fully supported.

Currently, HexBurn interface is in English. Multi-language interface support may be added in future updates based on user demand. However, message content supports all languages - only the interface buttons and labels are English. The encrypted messages themselves can be in any language.

Yes. HexBurn's zero-data-collection architecture makes it compliant with privacy laws worldwide including GDPR (EU), CCPA (California, USA), LGPD (Brazil), POPIA (South Africa), PIPEDA (Canada), and PDPA (Singapore). Since we collect nothing, we violate no privacy regulations.

Yes. HexBurn works anywhere with internet access regardless of your physical location. No geographic restrictions or country blocks exist. Use HexBurn while traveling for secure communication without worrying about local surveillance, hotel WiFi security, or international data laws.

Yes. HexBurn works with all keyboard layouts and input methods including IME (Input Method Editors) for Asian languages, virtual keyboards, on-screen keyboards, and assistive input devices. You can type messages using any input method your device supports.

HexBurn is ideal for: sharing passwords or API keys securely, sending confidential business information, transmitting sensitive legal documents, sharing medical records privately, whistleblower communications, journalist-source interactions, sharing temporary access credentials, birthday surprises with time capsules, one-time contract sharing, sending personal secrets, temporary URL sharing, confidential HR communications, secure client data transmission, and any situation requiring guaranteed message destruction after reading.

Share the link through the most secure channel available: encrypted email (ProtonMail, Tutanota), Signal or other E2E encrypted messaging apps, SMS for short URLs, QR codes for in-person sharing, or verbally for maximum security. If using a passphrase, always share the link and passphrase through different channels - send the link via email and the passphrase via phone call, for example. Never post encrypted links in public forums, social media, or unencrypted channels for sensitive content.

Yes. HexBurn's zero-knowledge architecture, lack of user accounts, and self-destructing messages make it suitable for sensitive journalism and whistleblowing. However, for high-risk situations, combine HexBurn with additional operational security: use Tor browser for anonymity, access from secure locations, use strong passphrases, share links through secure channels, and never use personal devices. For ongoing source protection, consider dedicated tools like SecureDrop alongside HexBurn for one-time messages.

If you shared an unpassword-protected link publicly, anyone with the link can open and burn the message. However, once one person opens it, the message self-destructs and becomes unavailable to others. If you used a passphrase, the message remains encrypted even if the link is public - only someone with both the link and passphrase can decrypt it. For future protection, always use passphrases for sensitive messages.

Yes. Many businesses use HexBurn for sharing temporary credentials, client communications, confidential proposals, contract transmission, sensitive data sharing, secure vendor communications, and internal confidential messages. The GDPR/CCPA compliance by design eliminates data protection concerns. The lack of user accounts means no license management overhead. However, for organizations requiring audit trails, message archiving, or centralized management, dedicated enterprise messaging solutions may be more appropriate.

You can verify HexBurn's security by: reviewing the open source code on GitHub, inspecting network traffic in browser DevTools to confirm no data is sent to servers (except loading the page), examining the browser's developer console to see client-side encryption operations, having security professionals audit the cryptographic implementation, checking that the URL fragment (after #) is not transmitted in HTTP requests, verifying HTTPS certificate, and reading independent security audits if available.

HexBurn provides strong encryption and privacy, making it suitable for sensitive communications. However, some legal or regulatory frameworks require message retention, audit trails, or e-discovery capabilities. HexBurn's burn-after-reading and zero-storage design conflicts with these requirements. Consult your legal and compliance teams to determine if HexBurn fits your specific regulatory obligations. For industries with strict retention rules (finance, healthcare, government), consider alternatives with archiving capabilities.

To share passwords securely: 1) Create a new HexBurn message with the password, 2) Add a strong passphrase, 3) Set a time capsule unlock time if needed, 4) Share the encrypted link via email or Slack, 5) Share the passphrase through a different channel (phone call, SMS, or in-person), 6) Recipient opens link and immediately uses/stores password in a password manager, 7) Message burns after reading, leaving no trace.

HexBurn's encryption is strong enough for medical information, but healthcare providers must consider HIPAA compliance requirements. HIPAA requires Business Associate Agreements, audit logs, and access controls. HexBurn as a free, anonymous tool does not provide BAAs or audit trails. For informal personal health information sharing (sending test results to family, etc.), HexBurn provides excellent privacy. Healthcare organizations should consult compliance officers.

Use HexBurn time capsule feature: create the message with the sensitive information, set unlock time to when it should be revealed, add a passphrase for extra security, share the link immediately (recipient can verify they received it), and the message remains locked until the specified time. Perfect for scheduled announcements, delayed access credentials, or future disclosures.

Common reasons: the message was already opened and burned, the URL was truncated or corrupted when sharing (ensure you copy the entire URL including the fragment after #), the browser blocks JavaScript or Web Crypto API, the message requires a passphrase that was not provided, browser extensions interfering with the page, or cookies/localStorage disabled. Try copying the full URL again, check that JavaScript is enabled, update to a modern browser, ensure you have the passphrase if one was set, and try disabling browser extensions temporarily.

No. Once a message burns, it is cryptographically destroyed with no recovery option. The encryption keys are permanently deleted from memory and the message becomes unrecoverable. This is by design - burn-after-reading means permanent, irreversible deletion. There are no backups, no server copies, no "undelete", and no way to retrieve burned messages. Make sure to save important information before closing the message.

Ensure you are using a modern browser with PDF.js support (Chrome, Firefox, Safari, Edge). Some PDF features like forms, annotations, or complex JavaScript may not render in the browser viewer. Very large PDFs may cause memory issues - try compressing the PDF before encrypting. If issues persist, try a different browser. Some PDFs with DRM or security restrictions may not work.

For security vulnerabilities, please use responsible disclosure practices. Contact us through our GitHub repository issues for bug reports. For sensitive security reports, use encrypted communication channels. Include detailed steps to reproduce, browser information, operating system, screenshots if applicable, and any error messages. We take security reports seriously and will respond promptly to verified vulnerabilities.

No dedicated mobile app is required or available. HexBurn is a responsive web application that works perfectly in mobile browsers (Safari on iOS, Chrome on Android, Samsung Internet, Firefox Mobile). Simply visit the website from your mobile browser and use all features without installing any app. The web-first approach ensures you always have the latest security updates without app store delays.

Some security tools may flag encryption tools or privacy software as suspicious due to their use of cryptography and obfuscation techniques. This is a false positive. HexBurn is open source, uses standard Web Crypto APIs, and has no malware, viruses, or malicious code. You can verify this by reviewing the source code on GitHub. If your corporate firewall blocks HexBurn, contact your IT department to whitelist the domain.

HexBurn is a free, privacy-first tool with no user accounts or commercial support contracts. Support is provided on a best-effort community basis through GitHub issues, documentation, and this comprehensive FAQ. For critical security concerns, use our responsible disclosure process. Since we have no access to your messages or user data, we cannot provide account recovery, message retrieval, or personalized support for encrypted content.

P2P chat requires WebRTC support and may fail on restrictive networks. Common issues: corporate firewalls blocking WebRTC, VPN/proxy interfering with peer connections, browser WebRTC disabled in settings, NAT traversal failure (HexBurn uses TURN servers as fallback). Try: disabling VPN temporarily, checking browser WebRTC settings, trying different network (mobile hotspot), or using standard encrypted messages instead.

HexBurn is open source, so you can review and learn from the code. While we do not provide commercial support or implementation services, the community may help with questions on GitHub. For businesses requiring integration assistance, custom implementations, or dedicated support, consider hiring developers familiar with Web Crypto API and encryption.

Decryption fails when: wrong passphrase entered, URL corrupted or incomplete (missing characters after #), message tampered with (breaking authentication), browser incompatibility with encryption format, or JavaScript errors. Double-check the passphrase, ensure full URL was copied, try a different browser, and check browser console for JavaScript errors.

HexBurn offers more features than PrivNote or OneTimeSecret, including time capsule messages with future unlock dates, self-destructing PDFs with viewer, and bulletproof P2P chat with E2EE. HexBurn uses more modern cryptography (AES-256-GCM via Web Crypto API) with stronger key derivation (PBKDF2 200,000 iterations), has a more polished cyberpunk-inspired user interface, and is fully GDPR compliant with zero data collection. Unlike some alternatives, HexBurn is completely free forever with no premium upsells, advertisements, or feature limitations.

HexBurn and encrypted email serve different purposes. Encrypted email (like ProtonMail or PGP) requires both parties to have compatible encryption setups and is designed for ongoing correspondence with persistent message storage. HexBurn requires no setup, no accounts, no recipient software - just share a link in any browser. HexBurn messages also self-destruct after reading, which encrypted email does not. Use HexBurn for one-time, disposable, anonymous messages that should leave no trace; use encrypted email for ongoing secure correspondence with known contacts.

Signal and WhatsApp require both parties to install apps, create accounts linked to phone numbers, and maintain contact lists. HexBurn requires nothing from the recipient - just open a link in any browser anonymously. HexBurn is ideal for one-time messages, anonymous communications, sharing with strangers, or when you need to communicate with someone who doesn't have specific apps installed. Use HexBurn for temporary, anonymous, self-destructing one-off messages; use Signal/WhatsApp for ongoing encrypted conversations with known contacts in your phone book.

HexBurn uniquely combines: true zero-knowledge client-side encryption with no server access, self-destructing burn-after-reading messages, time capsule messages with future unlock dates, self-destructing PDF support with viewer, bulletproof P2P encrypted chat with ECDH key exchange and fingerprint verification, complete GDPR compliance by design with zero data collection, no accounts or registration ever, 100% free forever with no premium tiers, open source and independently auditable code, modern cyberpunk-inspired OLED-optimized interface, and comprehensive documentation. No other platform offers this complete feature set in one privacy-focused package.

Telegram Secret Chats require both parties to have Telegram installed and accounts created. HexBurn works in any browser with no installation. Telegram Secret Chats are device-specific and cannot be accessed from other devices. HexBurn messages can be opened from any device with the link. Both offer end-to-end encryption and self-destructing messages. HexBurn additionally offers time capsules and PDF burning. Use Telegram for ongoing conversations; use HexBurn for one-time anonymous messages.

Yes, significantly. Snapchat stores messages on servers before deletion and has been known to retain deleted content for law enforcement. Snapchat requires accounts and tracks extensive user data. HexBurn uses zero-knowledge encryption with no server storage - messages exist only in URLs and burn cryptographically with no recovery. Snapchat "disappearing" messages can be screenshotted with sender notification; HexBurn messages are encrypted and cannot be recovered after burning even if screenshots are taken.

ProtonMail is end-to-end encrypted email requiring both parties to have ProtonMail accounts (or using less secure PGP for external recipients). ProtonMail stores encrypted emails until deleted. HexBurn requires no accounts, messages burn automatically after reading, and works with anyone. Use ProtonMail for ongoing email correspondence with permanent storage; use HexBurn for temporary one-time messages that should leave no trace.

Password managers (like Bitwarden, 1Password, LastPass) are for personal password storage with account-based sharing. HexBurn is for temporary, one-time credential sharing with anyone without requiring them to have accounts. Use password managers for your own password storage and team management; use HexBurn for sending temporary passwords, API keys, or credentials to clients, contractors, or external parties who don't have access to your password manager.

Yes, HexBurn is fully GDPR (General Data Protection Regulation) compliant by design. Since we collect zero personal data, store no user information on servers, use no cookies, no tracking, and process everything client-side in the browser, there is no personal data to protect, breach, or misuse. HexBurn does not require data processing agreements, privacy impact assessments, GDPR consent notices, or cookie banners because no data processing occurs on our servers. This is compliance through data minimization taken to the extreme.

Yes. HexBurn complies with CCPA (California Consumer Privacy Act), LGPD (Brazilian data protection law), POPIA (South African data protection), PIPEDA (Canada), PDPA (Singapore), and other global privacy regulations. Our zero-data-collection architecture means there is nothing to sell, share, or monetize. Users have no need to request data deletion, access, or portability because we never have their data in the first place. No data = no compliance burden.

Since HexBurn collects and stores zero personal data, traditional GDPR rights (right to access, right to deletion, right to portability, right to rectification, right to object) do not apply - there is no data to access, delete, port, correct, or object to. This is the ultimate form of compliance through data minimization. Users have complete control since all data exists only in their browsers and shared URLs, never on HexBurn servers.

HexBurn's strong encryption and zero-storage architecture align with HIPAA privacy and security principles. However, HIPAA compliance requires Business Associate Agreements (BAAs), audit trails, access controls, employee training, physical safeguards, and administrative safeguards that HexBurn does not provide as a free, anonymous tool. Healthcare organizations should consult their compliance officers before using HexBurn for protected health information (PHI). For informal, temporary personal health information sharing, HexBurn provides strong privacy protection.

HexBurn strives for WCAG 2.1 Level AA accessibility compliance, including proper color contrast ratios, keyboard navigation support, screen reader compatibility, semantic HTML structure, focus indicators, and accessible forms. We continuously improve accessibility features based on user feedback. If you encounter accessibility barriers, please report them so we can address them. Accessibility is essential for inclusive privacy tools.

HexBurn does not hold SOC2 or ISO 27001 certifications, as these are expensive audit processes typically pursued by commercial services. However, HexBurn's architecture inherently meets many of these security principles: data encryption, zero-knowledge design, no data retention, open source transparency, secure development practices, and regular security updates. For enterprises requiring certified vendors, consider that our zero-knowledge architecture means we never access your data regardless of certifications.

HexBurn uses military-grade AES-256 encryption and could be used for secure communications. However, government and military organizations typically have specific requirements including on-premise hosting, certifications (FedRAMP, IL4/IL5), dedicated support, and audit capabilities. Since HexBurn is open source, government agencies could self-host and audit the code. For official government communications, consult your security office regarding approved communication tools.

Yes. The EU ePrivacy Directive requires consent for cookies and tracking. HexBurn uses zero cookies, zero tracking, and zero storage, making it fully compliant without requiring consent banners or cookie notices. All processing happens client-side with no data transmission to servers (except loading the application itself).

The P2P chat uses ECDH key exchange to establish encryption keys. To prevent man-in-the-middle attacks during key exchange, both parties must verify the session fingerprint - a SHA-256 hash of the session key displayed as readable text. If an attacker intercepts the connection, the fingerprints will not match. Verify fingerprints via phone call, video chat, or in-person before starting sensitive conversations. This provides the same security as Signal's safety numbers.

The P2P chat includes sequence numbers with every message. Each message has a monotonically increasing sequence number. The recipient tracks all received sequence numbers and rejects duplicates. This prevents attackers from capturing and replaying old messages. Even if an attacker records encrypted messages, they cannot replay them successfully.

Perfect Forward Secrecy (PFS) means compromising current encryption keys does not expose past messages. The HexBurn P2P chat supports PFS through key rotation - session keys can be rotated during the conversation, generating new encryption keys and destroying old ones. Even if a session key is later compromised, only messages encrypted with that specific key are affected. Previous messages encrypted with earlier keys remain secure.

HexBurn encrypts message content but cannot hide that communication occurred. Network observers can see you visited HexBurn and timing/size of data transfers. For protection against traffic analysis, use Tor browser or VPN when accessing HexBurn. The P2P chat uses WebRTC which may expose IP addresses to peers - use VPN if IP anonymity is required.

Timing attacks on cryptographic operations are mitigated by using the browser's Web Crypto API, which includes timing attack protections in its implementation. Additionally, constant-time comparison is used where applicable. However, JavaScript's single-threaded nature and browser optimizations mean perfect timing attack resistance is challenging. For ultra-sensitive scenarios, consider using tools with constant-time implementations in lower-level languages.

If HexBurn servers are compromised, attackers could potentially modify the application code to include backdoors. However, since encryption happens client-side and we store no data, existing encrypted messages remain secure. To protect against this scenario: verify the open source code matches what you receive, self-host HexBurn, use browser extensions to verify code integrity, or use the open source code directly. This is a risk with all web-based cryptographic applications.

No. HexBurn uses only standardized, well-vetted, industry-standard encryption algorithms: AES-256-GCM (NIST FIPS 197), PBKDF2-SHA256 (RFC 2898), ECDH P-384 (NIST SP 800-56A), HKDF-SHA384 (RFC 5869), and HMAC-SHA256 (RFC 2104). We never use custom or proprietary encryption, as this is a major security anti-pattern. Using standard algorithms allows independent verification and benefits from decades of cryptanalysis.

Initialization vectors are generated using cryptographically secure random number generation (crypto.getRandomValues) which uses the operating system's CSPRNG (Cryptographically Secure Pseudo-Random Number Generator). Each message gets a unique random 96-bit IV for AES-GCM. IVs are never reused with the same key, preventing IV reuse vulnerabilities. The IV is included in the encrypted payload for decryption.

Side-channel attacks (power analysis, electromagnetic emanation, cache timing) are difficult to prevent in JavaScript running in browsers. HexBurn relies on the Web Crypto API's protections against some side-channel attacks. For protection against physical side-channel attacks, use HexBurn on trusted devices in secure locations. The threat model assumes device-level security; HexBurn cannot protect against compromised hardware or malicious operating systems.

HexBurn uses 256-bit AES keys, providing 256 bits of entropy (2^256 possible keys). This is computationally infeasible to brute force with current or foreseeable technology. Even if all computing power on Earth was dedicated to brute-forcing a single key, it would take billions of years. For reference, breaking 256-bit encryption would require more energy than exists in the universe.

Yes! HexBurn is open source and welcomes contributions. You can contribute code improvements, bug fixes, feature additions, documentation, translations, security audits, or usability enhancements. Check the GitHub repository for contribution guidelines, open issues, and development roadmap. All contributions are reviewed for security and code quality.

HexBurn is built with: Astro (static site generation and routing), React (interactive components as islands), TypeScript (strict mode for type safety), Tailwind CSS (utility-first styling), Web Crypto API (encryption/decryption), WebRTC (P2P chat), PDF.js (PDF rendering), QRCode.react (QR code generation), and modern Web APIs. No backend services or databases. Fully static, client-side only.

Compare the deployed code with the open source repository: 1) View page source in browser, 2) Compare JavaScript files with GitHub repository, 3) Check file hashes (if provided), 4) Review the open source code yourself, 5) Self-host from source to ensure no modifications. For maximum security, self-hosting ensures you control exactly what code runs.

Yes. Since HexBurn is open source, you can extract the encryption functions and use them in your own projects. The core encryption logic is portable and can be integrated into other applications. Review the crypto.ts and p2pCrypto.ts files for implementation details. Ensure proper attribution and follow the open source license terms.

HexBurn does not currently offer a REST API or programmatic interface. The application is designed for human use through the web interface. However, since the code is open source, developers can extract the encryption functions and create their own programmatic implementations. Future versions may include a JavaScript library for easier integration.

Clone the GitHub repository, install dependencies (npm install), run the development server (npm run dev). The application runs entirely client-side, so no backend setup is needed. Modify code in the src/ directory. Build for production with npm run build. See README.md in the repository for detailed development instructions.

Yes, since HexBurn is open source. You can fork the repository, customize branding, colors, logos, and features, and deploy your own version. Ensure compliance with the open source license (provide attribution and maintain open source). This is perfect for organizations wanting self-hosted secure messaging with their own branding.

Potential future features include: Progressive Web App (PWA) support for offline use, additional file type support (images, videos), group encrypted chat, message expiration based on time (not just reading), multiple language interface support, browser extensions for quick access, CLI tool for developers, integration with password managers, and enhanced mobile experience. Feature priorities depend on user feedback and community contributions.

File sharing for images, documents, and other file types is being considered for future versions. The challenge is balancing file size (which affects URL length) with browser performance and cross-browser compatibility. Compressed image formats and optimized encoding may enable broader file type support while maintaining security and usability.

Currently, no native mobile apps are planned. The web-first approach ensures cross-platform compatibility without app store restrictions, approval delays, or update friction. However, Progressive Web App (PWA) support may be added, allowing users to "install" HexBurn on mobile devices for offline access and home screen shortcuts while maintaining the web-based architecture.

Group encrypted messaging is technically complex due to key management challenges. Potential solutions include separate message copies for each recipient or group key distribution. This feature is under consideration but requires careful security design to maintain the zero-knowledge architecture and burn-after-reading guarantees.

Yes! Feature requests are welcome on the GitHub repository. Users can submit issues for feature requests, upvote existing requests, and discuss implementation approaches. Popular community requests influence development priorities. However, any feature must maintain HexBurn's core principles: zero-knowledge encryption, no data collection, client-side processing, and privacy-first design.

No, never. Account-free operation is a core principle of HexBurn. Any features requiring accounts would fundamentally compromise the privacy model and create data collection opportunities. All future features will maintain the zero-account, zero-data-collection architecture. Privacy is not negotiable.