Password protection
Adds zero-knowledge protection for sensitive pastes.
Safety & security
Protection levels
Pick the right level for what you share
Standard sharing
Convenient, not zero-knowledge
Fast links and raw text access. The server stores the key needed to decrypt unexpired content.
Best for
- · Code snippets and logs
- · Quick notes shared in chat
- · Public configs or examples
In a data breach, unexpired standard pastes may be readable.
Password protected
Zero-knowledge mode
The password stays in your browser. The server stores only the encrypted content and wrapped key.
Best for
- · API keys and credentials
- · Recovery codes or seed phrases
- · Private docs or sensitive notes
In a data breach, pastes are not readable without the password.
Report abuse
How we handle harmful content
textdrop.sh is built for sharing text, code, notes, and temporary secrets. It is not a place to host abuse, malware, phishing material, or content that harms people.
Not allowed
- Malware, ransomware, or phishing content
- Credential dumps or stolen secrets
- CSAM or content that exploits minors
- Harassment, doxxing, threats, or illegal content
Actions we may take
- Disable access to reported pastes
- Remove content that violates our guidelines
- Rate limit or block abusive traffic
- Preserve and share logs when legally required
See something that violates our guidelines?
Report abuseYour controls
Your controls
Burn after read
Deletes the paste after the first successful open.
Automatic expiry
Removes old pastes automatically after the TTL you choose.
No account required
No profiles, signups, or account passwords to manage.
Security FAQ
Are standard pastes zero-knowledge?+
No. Standard pastes are encrypted before storage, but textdrop.sh stores the data key so normal links and raw text access work without a password.
What happens if stored data leaks?+
Unexpired standard pastes may be readable because the service stores the data key. Password-protected pastes cannot be read.
What does password protection change?+
The password stays in your browser. The raw data key is wrapped client-side with a password-derived key, and the server stores only the wrapped key.
How does burn after read work?+
Burn-after-read pastes are deleted as part of the first successful access, so the paste cannot be fetched once and then remain available for another reader.
What precautions does textdrop.sh take?+
The service uses Web Crypto AES-256-GCM, PBKDF2 key wrapping for password pastes, CSP nonces, security headers, rate limits, random IDs, and automatic expiry.
Which mode should I use for sensitive content?+
Use password protection. For one-time sensitive sharing, also enable burn after read and choose the shortest practical expiry.
Responsible disclosure
Found a security issue?
Please do not disclose it publicly. Send reproduction steps, impact, and any suggested mitigation to our security inbox.