FormSeal - E2EE contact form backend

A privacy-first, end-to-end encrypted contact form backend designed to be blind to message contents.

Project created on: Dec. 2025 | Last updated: Dec. 2025

FormSeal is an experimental, security-focused contact form backend built to eliminate server-side visibility into user messages. Unlike traditional form handlers, the backend is intentionally blind — messages are encrypted on the client before submission and stored without ever being decrypted server-side.

The project explores different architectural variants using Cloudflare Workers and KV storage, focusing on stateless authentication, key exchange, and practical end-to-end encryption in a serverless environment.

FormSeal is designed as a framework rather than a single deployment, allowing different trade-offs between usability, security, and privacy depending on the chosen variant.

Overview

Problem

Standard contact form backends store messages in plaintext, creating unnecessary trust assumptions and long-term data exposure risks.

Solution

A client-side encrypted submission pipeline where the backend only handles encrypted blobs and metadata, never plaintext messages.

Core stack

Cloudflare Workers · KV Storage · Client-side E2EE · Stateless authentication · Vanilla JavaScript

Architecture

FormSeal follows a client-encrypt → server-store → client-decrypt model, ensuring the backend never gains access to message contents.

Client encryption: Messages are encrypted in the browser before submission.
Submission endpoint: Worker validates structure, rate-limits requests, and stores encrypted payloads.
KV storage: Encrypted blobs are stored as opaque values with minimal metadata.
Admin access: Decryption happens client-side using locally held keys.
Stateless design: No sessions, cookies, or long-lived authentication tokens.

Key Features

End-to-end encryption

Message contents are never visible to the backend.

KV-blind storage

Encrypted data is stored as opaque blobs without schema coupling.

Multiple variants

Supports different trade-offs between security, privacy, and usability.

Serverless by design

No servers to manage, patch, or secure.

Minimal metadata

Only essential routing and anti-abuse metadata is retained.

Sample code snippet

This snippet shows how encrypted payloads are handled server-side without decryption:

// Store encrypted payload without inspection
await SUBMISSIONS.put(id, encryptedPayload, {
  metadata: {
    created_at: Date.now(),
    variant: "e2ee"
  }
});

Possible future improvements

Key rotation strategies
Client-side message indexing
Optional forward secrecy
Improved spam resistance
Encrypted search experiments

Links

GitHub: https://github.com/grayguava/formseal

Live Demo: No Live demo or deployments available