Cryptography & Security

Understanding RFC 3986: The URL Fragment & Zero-Knowledge Architecture

April 21, 2026
Dippan Bhusal
5 Min Read

If you want to build a truly secure application where the server cannot read the user's data, you must understand how browsers handle the URL fragment identifier (#). This is the foundation of client-side, zero-knowledge encryption.

The RFC 3986 Fragment Rule

According to the official internet standard RFC 3986 (Uniform Resource Identifier: Generic Syntax), the fragment identifier component of a URI allows indirect identification of a secondary resource. But here is the critical security feature:

"The fragment identifier is separated from the rest of the URI prior to a dereference, and thus the identifying information within the fragment itself is dereferenced solely by the user agent."

In plain English: The URL fragment is never sent to the server in an HTTP request. If a user navigates to https://example.com/payload#secretKey123, the backend server (Nginx, Vercel, AWS) only ever sees a request for /payload. The #secretKey123 stays entirely within the local browser.

Exploiting the Fragment for Secure Link Sharing

Traditional password managers and secure note tools often encrypt data, but if the decryption key touches the server, a database breach exposes everything. By utilizing the RFC 3986 specification, we can create a flawless zero-knowledge architecture.

  • Encryption: The user types a message. The browser generates a random AES-GCM 256-bit key and encrypts the message locally.
  • Storage: Only the scrambled, encrypted blob is sent to the database.
  • Transmission: The raw decryption key is appended to the URL as a fragment (e.g., #key).
  • Decryption: When the recipient opens the link, the browser pulls the key from the URL fragment and decrypts the downloaded blob. The server never knows what the key was.

Preventing Fragment Identifier Exploitation

While the fragment is a powerful tool for zero-knowledge systems, it must be handled carefully. Malicious actors can attempt fragment identifier exploitation if your JavaScript improperly parses the hash and injects it directly into the DOM (leading to DOM-based XSS).

To secure your application, never use innerHTML when handling data extracted from window.location.hash. Always treat the fragment strictly as a cryptographic key and pass it directly to the window.crypto.subtle API for key derivation.

Try Zero-Knowledge Encryption Yourself

See the RFC 3986 fragment rule in action. Encrypt text and files directly in your browser. Our servers physically cannot read your data.

Launch ZeroKey Encryptor View Source Code