I built a fully anonymous, E2E-encrypted P2P messenger that runs entirely in the browser #webdev #privacy #javascript #cryptography

That's the whole relay. The operator genuinely cannot read messages — not because of policy, but because the math doesn't let them.

The honest tradeoff: the relay can see that a message was sent (metadata), even if it can't see what. For real anonymity you'd want onion-routing the fan-out. That's on the roadmap.

A few things I learned along the way

IndexedDB is a real database, not localStorage. Treat it like one. Versioned schema, compound index [conversationId, timestamp], cursor-based pagination. "Load last 50 messages" is O(log n) with the right index.

Service Workers can do encrypted push. The push payload itself is ciphertext, so the push service (FCM/Mozilla) only ever sees ciphertext. The SW decrypts and displays.