Show HN: How I Built a Zero-Cost, True End-to-End Encrypted Chat App using Node.js & Web Crypto API

Levi — Wed, 13 May 2026 20:01:32 +0000

Hi everyone, I’m Levi.

I am a complete beginner when it comes to advanced software engineering, but I have a deep passion for coding and building things from scratch. I’ve been learning bit by bit, taking my time to understand how the web actually works under the hood.

Recently, I started exploring the concept of "Vibe Coding"—the process of building software by guiding AI with natural language, focusing on the logic, architecture, and "vibe" of the app while learning the actual syntax along the way.

Today, I want to share the very first platform I built using this approach: A zero-cost, true end-to-end encrypted (E2EE) chat application.

The Goal
I wanted to build a chat room where two people could talk without anyone—not even me as the server owner—being able to read the messages. And because I am just starting out, my budget was exactly $0.

The Tech Stack

Frontend: Vanilla HTML, CSS, JavaScript
Backend: Node.js, Express, Socket.io
Security: Native browser window.crypto.subtle (Web Crypto API)
Hosting: Render (Free Tier) & GitHub

How I Built the Encryption (The Fun Part!)
Instead of relying on heavy third-party libraries, I wanted to learn how true cryptography works directly in the browser.

Key Generation: When a user opens the app, the browser instantly generates an ECDH (Elliptic-Curve Diffie-Hellman) public/private key pair.

The Handshake: Users join a room using a simple code or a shareable link. Once both are in, they exchange their public keys via Socket.io.

The Shared Secret: Using their own private key and the friend's public key, both browsers derive a matching 256-bit AES-GCM shared secret.

Total Privacy: Every message typed is encrypted locally in the browser into unreadable ciphertext before it ever hits the network. The Node.js server only routes the ciphertext. It has no database, no logs, and no idea what the users are saying.

The "Self-Destruct" Feature
Because I don't use a database, there is zero persistent storage. To take privacy a step further, I added a self-destruct mechanism. The moment one user closes their browser tab or disconnects, the server emits a signal that forces the other user's browser to wipe all local memory, clear the chat UI, and refresh the page. No trace is left behind.

The Vibe Coding Experience
As a beginner, tackling WebSockets and Elliptic-Curve Cryptography sounded terrifying. But by using the vibe coding method, I was able to break the problem down into simple human logic: "How do two people agree on a secret password in a crowded room without anyone else hearing it?" Translating that logic into code piece-by-step made the learning curve incredibly rewarding.

Try It Out!
I would absolutely love for this community to try it, break it, and give me feedback. What security flaws did I miss? How can I write cleaner code? I am here to learn.

🔗 Live App: https://hidechat-levi.onrender.com

If you like what I’ve built as my first project, any tips, code reviews, or even a virtual coffee would mean the world to me. Thanks for reading!

DEV Community: Levi

Show HN: How I Built a Zero-Cost, True End-to-End Encrypted Chat App using Node.js & Web Crypto API