A fast, private and secure web notebook.
Users can create task lists, reminders, tables, links, math expressions or code blocks using Markdown and HTML. They can add images, audio or videos via URL. Notes can be searched, sorted by category or organized into folders.
Users can sync notes across devices in a secure database after signing in without needing an email address, only a username and strong password. Public notes can be shared via a random URL.
This website is a Progressive Web App (PWA) that can be installed as an application. Design is responsive and optimized for all mobile devices or macOS/Windows.
The site is accessible to users with disabilities through high-contrast colors, ARIA modules, and focusable elements.
The website follows OWASP security recommendations.
All notes are sanitized and validated through the DOMPurify library. All notes are encrypted with AES-256-GCM. Each user has a cryptographically secure key generated after signing up and a rotated JWT token securely stored in Redis.
Protection against XSS and CSRF attacks is ensured through a robust CSP, secure cookies or tokens.
Users can lock the app using biometrics (fingerprints, face, etc.). These biometric data are never sent to the server, verification is local and UI/UX only.
- 2FA protection
If you find issues, vulnerabilities or if you have any suggestions to improve this project, feel free to discuss!
The project is configured to start with a single Docker command. A more robust configuration is required for production.
docker-compose up --build to build the Docker container
Important
Once built, the website is available at localhost:8787, but if you want to deploy it on a public server, you need to install a SSL certificate to use note encryption (Web Crypto API requires HTTPs).
- Change NODE_ENV to "production" in .env
- Secure nginx and express with HTTPs
- Edit all users, passwords and secret keys
- Edit nginx and Docker configurations
- Edit .env and docker-compose.yml files
- Edit all database tables name
- To store user encryption keys, I recommend using a secure vault like AWS KMS, Azure Key Vault or a self-hosted solution instead of the database