Nowhere encodes a full website into the URL fragment (after #), which browsers never transmit to servers, making the link itself the only host.
Key Takeaways
The URL fragment is never sent to servers per the HTTP spec, so Nowhere exploits this to store compressed, encoded site content client-side only.
For dynamic actions (orders, petitions, forum posts), it uses Nostr relays that receive only encrypted blobs from ephemeral one-use keys with no identity attached.
Site creators can password-encrypt the fragment itself, making the URL opaque even to someone who possesses the link.
Offline access works via QR code printouts plus the Nowhere app, which ships the rendering libraries locally – no network required at access time.
Eight tools are offered: stores, fundraisers, forums, events, drops, petitions, and artwork, all stateless and serverless by architecture.
Hacker News Comment Review
The core technical criticism: the fragment may never touch Nowhere’s servers, but the generic JS renderer still must be downloaded from nowhr.xyz on first load, meaning the domain is a dependency and a censorship point – the “hosted nowhere” claim is overstated.
Multiple commenters noted this technique is well-established: fragment-encoded HTML playgrounds, markdown viewers like mdview.io, and single-file web apps predate Nowhere, deflating the novelty framing.
The privacy guarantees require trusting the Nowhere app and domain to serve unmodified code; without self-hosting or auditing the served JS on every visit, the cryptographic privacy story has a practical weak link.
Notable Comments
@toyg: cleanly explains the actual request flow – browser still fetches generic JS from the main site; the fragment decode is client-side only after that download.
@calebm: points to Single-File Web Apps as a more durable alternative for the same durability goal.
@foltik: “You could describe a .html file sitting on your computer with all of the same marketing bluster.”
