Source code and details: https://git.anarchists.space/NanoChat/Server
Features
- Small codebase
- Messages expire after 30 days
- Panic button to delete all messages in a room
- WebSocket for communication
- Docker support
Technical details
- AES-256-GCM for client-side encryption
- Key is not sent to server
A few ideas that could further strengthen the design:
- Consider deriving separate keys from a master secret using HKDF (e.g. encryption key, authentication key, attachment key) instead of relying on a single key for everything.
- Room IDs alone could leak metadata if discovered. An HMAC-based room authentication scheme could help without requiring the server to know any encryption keys.
- Adding replay protection with counters/nonces and periodic key rotation would make the protocol more resilient.
- For public deployments, some abuse protection (rate limiting, room creation limits, optional proof-of-work) would help prevent DoS attacks.
Cloudfare doesn’t let me through. 🙄
We were under attack from a Singaporean botnet for two weeks, so I had to put our Forgejo instance behind Cloudflare because of that 🥲
I literally hate people who only wants to destroy or weaken good things 😒 But why don’t you use Codeberg? Is it because of downs every now and then because of the same reason (DDoS attacks from idiots)?
Do peojects like Anubis fail in such cases?
Anubis is for blocking AI crawlers, not DDoS attacks
How does the anonymity work?
There are no user identities (not even cryptographic ones), and room encryption key is stored in URL which is never sent to server. Anyone can choose any nickname and you can access official instance (https://nanochat.anarchists.space/) through Tor.
Thanks for sharing I recommend Cheogram web which is in beta but will reach the full feature set of the app in due time
OnionShare already has a chat feature that works pretty well. What does this add?
Codebase is small and easy to audit. The panic button wipes all chat history in a room and blocks future messages. OnionShare fully depends on Tor’s built-in encryption for message security while NanoChat has its own encryption, which means you can host it on different anonymity networks.





