What is this?

There exists a /hidden section of my site, which consists of encrypted pages, the contents of which can't be read without a key.

Why?

This site is fully open-source, so normally, even if I don't link to a page anywhere it can be found in the Github repo. However, I wanted to have non-public pages on this site, ones that I could send people a link to, but that couldn't be read otherwise.

Also, because I thought it would be interesting.

How does it work?

Basically, the content of the page is encrypted, and there's some Javascript code that will attempt to decrypt it using a key in the URL's query string. So when I want to share a hidden page with someone, I can send them a link containing the key, like so, but anyone else will only be able to see the encrypted HTML.

Each page has a different key, so I can share one without revealing all of them.

The widget I use to encrypt them can be found here.

Is it secure?

Not particularly.

(I'm aware of the standard advice to not roll your own crypto, and while this does use AES, it uses it in a nonstandard manner. Also, I set it up quickly, without spending a lot of time making sure things are fully secure, so it should be presumed that they are not fully secure.)

In most circumstances, I wouldn't recommend an approach like this without much more careful thought about whether it works and is appropriate. In this particular case, however, the stakes are very low, since I don't plan to put anything seriously secret here, and I thought it would be interesting to try it out.