Welcome to NullPad
This is a completely local-first note-taking application designed for speed, privacy, and
simplicity. It is an application specialized for offensive and defensive cybersecurity
professionals. All data is primarily stored within your browser, ensuring immediate access
and full control over your information.
Notes App is entirely free to use.
However, if you find it valuable and would like to support its continued development, you
may support the app.
Buy me a coffee
Vulnerability Research & Acceptable Use
We welcome security researchers! You are allowed and encouraged to hunt for
vulnerabilities and report them to: [email protected]. Researchers
who discover and responsibly disclose flaws will have their names added to our
Acknowledgements below.
Legal Warning: Any action that compromises the functioning of the
application, such as Distributed Denial of Service (DDoS) attacks, attempts to break the
application infrastructure, or causing any damage to data availability and integrity, is
strictly prohibited and subject to legal action.
Acknowledgements
No entries yet.
Features
Section Management
- Sections: Organize your workspace seamlessly, acting similar to
separate browser tabs for different workflows.
- Rename Sections: Double-click on a section name to edit it.
- Sections Scroll: When your sections exceed the available horizontal
screen space, simply click and drag anywhere in the section bar area, or use your mouse
wheel, to scroll left and right.
- Reorder Sections: Click and hold a section, drag it vertically first
(up/down), then move it horizontally (left/right) to snap it into your desired location,
then release.
- List View: All your sections and notes are also available in a
hierarchical, organized view list. You can easily transfer notes to different sections
and reorganize the order of sections
from this hub. The number of sections per line in the grid view can be configured in
Settings.
Workspace Navigation
- Event Storage: Enables real-time synchronization between multiple
windows.
- Panning (Drag to Move): Click and hold the Left Mouse
Button (or Middle Button) on any empty area of the background to "grab" and
move the entire workspace.
- Auto-Expansion: Simply drag notes or resize them towards the edges of a
section. The workspace will automatically grow to provide more space as you approach the
boundaries.
- Smart Cleanup: When you release a note, the section automatically
shrinks to fit your notes' footprint, ensuring your workspace stays organized without
unnecessary empty space.
Note Controls
- Drag and Drop: Click and hold the handle of any note to move it. You
can also multi-select notes with Ctrl + Shift + Click
to move several at once.
- Toggle/Collapse: Click the arrow icon in the note header to expand or
collapse it.
Notes directly below will be automatically pulled up or pushed down. The proximity limit
for this behavior can be adjusted in Settings. This distance creates a
unity of organization: notes within this range are handled as a logical
group, ensuring that related items move together to maintain your layout's structure
even if they are not perfectly aligned or touching.
- Focus Note: If a note is partially off-screen, simply click it to
automatically bring it into full view. The Focus scroll offset can be adjusted in
Settings.
Text Formatting & Blocks
- Bulleted Lists: Type * + Space at the start of a
line to create bulleted points.
- Numbered Lists: Type 1. + Space at the start of a
line to begin a numbered list.
- Checkboxes: Type < + Space at the start of a
line to create an interactive to-do item.
- Toggle Blocks: Type > + Space to make content
collapsible.
- Format Conversions: Select existing text and click the list/checkbox
buttons in the toolbar to automatically format them line-by-line.
Advanced Functionality
- Environment Variables: Available via the "Vars" (cylinder) icon button.
Set global key/value pairs (like
IP=10.10.10.10) useful in templates.
- Variable Injection: When hovering over formatted code blocks, click the
float icon to copy the content with all matching environment variables automatically
evaluated and injected.
- Easy Copy: Toggle via Alt + C. Selected blocks
become fully clickable elements that instantly copy their content to your clipboard.
Storage & Persistence
- Auto-Save: Never worry about losing work. NullPad continuously saves
your session, including all Notes, Sections,
Settings, and Environment Variables, to your browser's
local storage as you type.
- Restore: Recover your last saved state from the browser's local storage
manually. This is useful for restoring your progress if the page was refreshed with
auto-save disabled.
Automatic Title Generation
NullPad can automatically generate titles for your notes based on the content of the first
line, preserving your flow without manual naming.
- Smart Extraction: The app monitors your typing and automatically
extracts up to 3 words from the first line of an unnamed note to use as a title.
- Customization: You can enable/disable this feature and adjust the
generation delay and word limit in Settings under Notes
Behavior.
Keyboard Shortcuts
Ctrl + 1 to 4 Apply one of
the four predefined colors.
Ctrl + ' Apply color-picker defined
color.
Ctrl + B Toggle bold.
Ctrl + U Toggle underline.
Ctrl + \ Remove all
formatting.
Ctrl + E Toggle to code formatting or
remove code formatting.
Ctrl + Shift + Click
Select and drag multiple notes simultaneously.
Ctrl + Alt + Click BETA Multi-cursor selection.
Alt + N Create a new note.
Alt + S Create a new section.
Alt + A Go to previous section
(left).
Alt + D Go to next section
(right).
Alt + C Toggle Easy Copy (click to
copy).
* + Space Bulleted list.
1. + Space Numbered list.
< + Space Checkbox.
> + Space Toggle Block.
Enter In lists, creates a new item. Press
Enter on empty items to exit the list.
Sync & Storage
Export & Import
Your workspace can be completely exported as a JSON file, providing a portable backup of all
your notes and sections.
- Export: Generates a JSON file containing your entire workspace,
including all Settings and Environment Variables.
Using encryption during export is recommended for safe transport.
- Import: Restore a previously exported workspace. Note that this will
overwrite your current local session.
Cloud Synchronization
Our cloud sync operates under a Zero-Knowledge Architecture.
- How it works: The entire JSON object comprising your workspace is
compressed to minimize size and reduce predictability of the data before it undergoes
AES-GCM 256-bit encryption locally in your browser. The server handles exclusively
encrypted blobs and never perceives the keys.
- Authentication & Restoring: You authenticate using your Google or
GitHub account. To completely restore and decrypt your data pulled from the cloud, you
must provide the exact configuration: your Encryption Password and
Salt (if a custom salt was used).
- Restrictions: Within the cloud environment, you cannot repeat Database
Notes titles for the same user, ensuring consistent document tracking and retrieval
patterns.
Important: The application has no
mechanism to recover your data without your exact credentials. If you lose these keys, your
information will be inaccessible.
Collaboration & Sharing
- Sharing by Nickname: You can grant read-only access to any of your
cloud documents by entering a user's exact Nickname in the Collaborators section. The
authorized document will immediately populate in their "Shared with Me" tab.
- Access & Privacy: Because sharing utilizes only exact nicknames indexed
anonymously rather than searchable emails, user enumeration is completely prevented.
Shared documents enforce severe read-only constraints mathematically guaranteed by Cloud
Firestore Rules.
- Desynchronize Button: While reviewing a document shared with you, you
will find a Desynchronize action in the control center. Utilizing this
tool cleanly severs the synchronization link to the cloud session while deliberately
retaining the document's text offline into your personal interface, allowing you to
instantly inherit a workable, private copy.
Security & Privacy
NullPad is built with a deep commitment to user privacy and data ownership. Our architecture
is designed to handle sensitive information with transparency and robust security practices.
Data Sovereignty
- Local-First Control: We do not monitor, profile, or have access to your
notes. All your data remains strictly on your device unless you explicitly choose to use
the cloud sync feature.
- Browser Isolation: Data is stored within your browser's secure
`localStorage`, which is isolated from other websites through standard Same-Origin
Policies.
No Behavioral Tracking
- Zero Tracking Policy: We do not use third-party behavioral trackers,
session recorders, or marketing cookies. Your activity within the app is not profiled or
monitored for analytics.
- Infrastructure Logs: Like all web services, our hosting and backend
providers (Cloudflare and Firebase) may process essential technical logs (such as IP
addresses and request metadata) strictly for security, DDoS protection, and operational
reliability.
- Privacy-First Infrastructure: We choose providers that adhere to high
security standards, ensuring that technical logs are handled responsibly and are not
used for user behavioral analysis.
Client-Side Encryption
- Zero-Knowledge Sync: When using cloud sync, your data is encrypted
locally with AES-256-GCM before it ever leaves your browser. Your notes
remain indecipherable to our infrastructure and service providers.
- Encryption at Rest: Your password is never transmitted
to or stored on our servers. The salt used for encryption can be either
the application's default or a custom value provided by you; in the latter case, the
full combination of credentials remains exclusively in your control.
- Access Control: The application has no mechanism to recover or decrypt
your data without your credentials. This ensures that only you, the owner of the
password, can access the content.
Third-Party Authentication
- Identity Providers: NullPad uses Firebase Authentication to allow
sign-in via Google or GitHub. This authentication flow is handled directly by these
providers and the Firebase platform.
- Third-Party Policies: Use of these authentication methods is subject to
the respective privacy policies and data handling practices of Google, GitHub, and
Firebase. NullPad only stores your provider user ID and authentication token locally to
maintain your session.
Operational Responsibility
NullPad's architecture supports strong data handling practices by keeping user content local
by default and applying client-side encryption before any cloud transmission. Users are
responsible for maintaining the confidentiality of their password and salt. Compliance with
specific regulatory frameworks (such as GDPR, HIPAA, or internal OPSEC policies) depends on
the user's own configuration and usage context.
Solutions & Tips
Behavior Settings Issue after Update
If the application receives an update that adds new behavioral settings and you have
auto-save enabled, these values may appear empty in Settings > Behavior.
Fix: To resolve this, go to Settings > Behavior and click
the Reset Behavior button to initialize the new settings with their default
values.
Updates & Window Communication
If you keep NullPad open for long periods (such as across PC sleep/wake cycles), you may stop
receiving automatic updates. Additionally, the Event Storage (which ensures
that changes in one window appear instantly in others) may become inactive.
Recommendation: Refresh the page frequently to ensure you are using the most
recent version and to maintain active communication between all open windows.