Some encrypted-messaging tools (Signal, for example) refuse to ship a browser app. They have a reason. We took the harder path — and built around the actual problems instead of working around them by skipping the web tier entirely.
A browser-served app is structurally weaker than a native one for three concrete reasons:
Calling the browser a fundamentally weaker surface isn't controversial. Treating it as un-improvable is. Below is exactly what we ship today, and exactly what we're building next.
No analytics SDKs, no ad pixels, no chat widgets, no fingerprinting libraries, no Google Fonts (we self-host every typeface we use), no CDN-served assets, no preconnects to off-domain hosts. Audit a page load and the only origin in flight is koaich.com. We measure on our own infrastructure.
Authentication on the web tier uses WebAuthn — your authenticator (Apple ID, 1Password, hardware key) signs challenges directly. The private key never leaves the authenticator. No password fields exist on Koaich, anywhere. Phishing-resistant by construction; the browser refuses to honor a challenge from a wrong origin.
HTTP Strict Transport Security with a two-year max-age tells the browser to refuse HTTP entirely for koaich.com — preempting downgrade attacks at the network layer.
Our CSP locks every off-origin loader: connect-src is self + Supabase only; img-src is self + data + blob; font-src is self only; frame-ancestors is none (except the iframe-embeddable scorecard). No third-party JS, no third-party fonts, no third-party images can load.
Cross-Origin Opener Policy same-origin and Cross-Origin Embedder Policy credentialless isolate our window from cross-origin contexts. A malicious site that opens us as a popup can't inspect our state via shared memory or window handles.
Referrer-Policy: no-referrer means clicks off koaich.com don't leak which page the user was on. Permissions-Policy denies every browser feature we don't use (geolocation, camera-by-default, microphone-by-default, USB, MIDI, autoplay, payment, etc.). Reduces the surface a malicious script could probe even if it somehow ran.
The product app already runs strict CSP. The landing site you're reading uses Next.js streaming SSR, which emits inline <script> hydration data — today's CSP allows 'unsafe-inline' on script-src for that. The PLANNED tightening switches to a nonce-based CSP via middleware, so every page can drop 'unsafe-inline' while still letting Next.js's own hydration scripts run.
SHA-384 integrity hashes on every script and stylesheet, so a tampered asset fails the browser's check and never runs. Already in production for the app's critical-path bundles; the rest of the bundle graph plus the landing site are next.
The browser's local database currently stores ciphertext that the app reads back and decrypts in memory. We're moving to a model where every row is encrypted under a key derived from your WebAuthn authenticator. A malicious extension can read the bytes; it can't derive the wrapping key without your authenticator.
Trusted Types converts dangerous DOM sinks (innerHTML, script.src) into typed objects that must come from a sanitizer. Kills the last category of XSS even when CSP is bypassed by a future browser bug.
Every release will be a deterministic build from a tagged Git commit. Anyone can rebuild the source and verify the deployed JavaScript bundle matches, byte-for-byte. Closes the "vendor pushed different code to one user" attack — anyone who suspects we did would be able to prove it.
Each release signs its bundle hash into a public transparency log (Sigstore / Rekor). A small browser extension (ours, optional) verifies the loaded bundle against the log before letting the app execute. This is the property that makes a web client meaningfully verifiable end-to-end.
Vault names + descriptions, and contact list entries, currently store cleartext server-side. Both are being migrated to encrypt under per-vault and per-user keys so the database holds opaque ciphertext for them too. The content (messages, documents, files) was already encrypted; this closes the remaining metadata gap. /security tracks the current state.
For a security reviewer: the web tier today provides phishing-resistant auth, content-injection-resistant code delivery, isolated origin context, and zero third-party trust. The remaining gaps — local storage that's readable to extensions, no public verifiability of the deployed bundle — are roadmap items with concrete designs. Read the architecture page; ask us specifics; we'll answer.
For an everyday user:the web app is fine for the things browsers are fine for — checking a thread, reading a doc, signing in from someone else's laptop. For your most sensitive material, the iOS and Android apps benefit from OS-level keystores the browser doesn't have access to. We'll always recommend native apps for primary use; web is the second device.
/security is the canonical architecture page. /blast-radius shows the pattern this design is built against.