Live Demos
Secure Todo List
A CRUD REST app where every request — GET, POST, DELETE — is
encrypted by the Service Worker before leaving the browser.
The application code calls plain fetch().
Django Admin
The full Django admin interface served inside a shell page. Navigation, form submissions, and page loads all flow through the encrypted tunnel — the browser renders normal HTML.
HTTPS → SFPQ → DjangoTechnology Stack
Key Exchange
PQXDH
ML-KEM-768 (FIPS 203) + X25519 hybrid — secure against both classical and quantum adversaries
Authentication
ML-DSA-65
FIPS 204 lattice signature; server identity pinned in the Service Worker
Symmetric Encryption
ChaCha20-Poly1305
AEAD cipher; key derived per-message from the Double Ratchet chain
Session Protocol
Double Ratchet + SPQR
Per-message forward secrecy; post-compromise recovery every 10 messages via SPQR epoch advance
Delivery Mechanism
Service Worker
W3C standard; one PQXDH handshake per browser session regardless of page navigation count
Implementation
Rust → WASM
All cryptography written in Rust, compiled to WebAssembly; runs inside the Service Worker
Request path:
page →
fetch('/api/todos')
→ Service Worker intercepts
→ WASM encrypts (ChaCha20-Poly1305, DR step N)
→ POST /v2/secure-bin to server
→ server decrypts, routes to backend
→ response encrypted back
→ WASM decrypts
→ Response returned to page as plaintext