FormSeal — Encrypted message submission pipeline

A browser-native, client-side encrypted form submission pipeline with built-in abuse resistance and zero server-side message visibility.

Project created: Dec 2025 | Last updated: Feb 2026

FormSeal is a security-focused form submission backend where messages are encrypted in the browser before transmission and stored without ever being decrypted server-side.

It is designed specifically for use in website-embedded forms and operates entirely within standard browser capabilities, without requiring user accounts, cookies, or third-party services.

Overview

Problem

Traditional contact form backends store messages in plaintext, introducing unnecessary trust assumptions and long-term data exposure risks.

Solution

A browser-encrypt → server-verify → blind-store pipeline where the backend never gains access to message contents.

Main stack

Cloudflare Pages Functions · KV Storage · Client-side E2EE · Stateless Proof-of-Work · Vanilla JavaScript

Architecture

Browser-side encryption: Form data is encrypted directly in the browser using public-key cryptography before submission.
Same-origin submission pipeline: All endpoints are implemented as Cloudflare Pages Functions to avoid cross-origin complexity and reduce attack surface.
Challenge and verification layer: Submissions are gated using time-bound proof-of-work with replay protection and strict payload validation.
Blind storage: Encrypted payloads are stored as opaque blobs in KV with automatic expiration.
Stateless operation: No sessions, cookies, or persistent client identifiers are used.

Key properties

End-to-end encryption

Message contents are never visible to the backend.

Proof-of-work gating

Abuse resistance without captchas or behavioral tracking.

Replay protection

Each submission is cryptographically bound and single-use.

Serverless by design

No servers to manage or stateful infrastructure to maintain.

Minimal metadata

Only data required for verification and abuse prevention is retained.

Admin tooling

Message retrieval and decryption are handled by a separate, admin-side toolchain.

Admin tooling is intentionally isolated from the public submission pipeline and requires explicitly held private keys. No decryption logic or secrets exist in the public-facing backend.

Read more about admin sync: Admin Sync project overview

Possible future changes

Incremental refinements to the browser-side encryption pipeline
Improved proof-of-work tuning and abuse resistance
Optional reduction of retained submission metadata
Hardening of verification and replay-protection logic
Documentation polish for long-term maintainability

Links

GitHub (FormSeal core): github.com/grayguava/formseal

Live demo: No public deployment available