A web application for sharing files and text between two devices without account or previous contact. Try it here (uptime not guaranteed)
When I use a PC I do not trust (like a school PC with an outdated version of Windows and a disabled antivirus (for some reason I still have not figured out)), I do not want to plug in any USB stick or open my password manager, which is problematic since my passwords are 10+ characters long and randomly generated. I often resolve to typing them by hand, which is annoying. Now, I can simply open up this website and scan the QR code to transfer anything from my phone to the PC.
- End-to-end encryption: The server does not see what is being sent (only the size)
- No Data Retention: Files get deleted shortly after upload (default: 30 minutes)
- No user tracking (no cookies, no browser fingerprinting, no nothing)
- Sessions expire after a short amount of time (15 min by default)
- All data deleted shortly after upload (30 min by default)
- QR Code: Main displays QR code, connector scans it
- Human-Readable Codes: PGP wordlist encoding for easy verbal transmission
- Text message and file transfer
- A sleek, modern, responsive web interface
- No installation or configuration required by clients (all in browser)
- High RAM usage for the connector and main
- A malicious server admin could replace the normal webpage with one that does not encrypt the data and the user would not be able to notice
For Main:**
- Open http://localhost:3000/
- Share the QR code or PGP-encoded connection code with connector
- Files/messages appear automatically when sent
For Connector:
- Scan QR code or open /connect page and enter connection code
- Type message and/or upload files
- Click "Send Securely"
- Main gets the messages
- Both parties generate DH key pairs
- Public keys are exchanged via the server
- Shared secret is computed locally
- Encryption key is derived using HKDF-SHA256
- Algorithm: AES-256-GCM (Galois/Counter Mode)
- Key Size: 256 bits
- IV: 16 random bytes per message
- 3-word code derived from encryption key to spot man-in-the-middle attacks
Important
Reverseqr uses the crypto.sublte in the browser, which is only available in a secure context (localhost or https) therefore, the whole app will not work correctly if this is not the case (for example when testing using a second device on the same network). In such conditions, the page will load, but not display any QR code or connection code and not permit any data transfer. This however indicates that the server is working fine. More info
- Clone and navigate to project:
cd reverseqr/- Install dependencies:
npm install- Start the server:
npm start- Access the application:
- Main: http://localhost:3000 (by default)
- Connector: http://localhost:3000/connect (by default)
Please follow the instructions in SETUP.md
POST /api/session/create- Create main session with strict rate limitingPOST /api/session/join- Join existing session as connector (only one connector per session)GET /api/session/status/:code- Get session status and DH public keys
POST /api/message/send- Send encrypted message or fileGET /api/message/retrieve/:code- Retrieve encrypted messages for a connectionGET /api/file/download/:filename- Download encrypted file
GET /api/config- Get server configuration (max sizes, timeouts, etc.)GET /api/429-images- List images for 429 rate limit error pageGET /api/404-images- List images for 404 error pageGET /health- Server health check
GET /- Main page displaying QR codeGET /connect- Page to enter connection codeGET /join?code=- Redirects to connector page and auto-connects
- WebSocket server for real-time notifications (message available, keys exchanged, etc.)
- In-memory session storage (max ~1000 concurrent)
GPL 3.0 License - See LICENSE file for details
Contributions are welcome! Please feel free to submit issues or pull requests.
- Test connectivity with
/healthendpoint - Make sure you are using localhost, not your local IP
- Try using the setupscript
- Reboot yourself (sleep) and try again
Made with passion in Munich, Germany