CodingIdeas.ai
← Back to Ideas
← NextPrev →

LockHTML — Encrypt Any HTML File Into a Password-Protected Self-Decrypting Bundle

You built a beautiful HTML deliverable and you want the client to need a password to open it — but you do not want a server, a login page, or a SaaS subscription. LockHTML is an npx CLI that encrypts any HTML file into a single standalone .html bundle that decrypts itself in the browser using the password you set. Ship it, email it, forget about it.

𝕏 PostRedditHN

Difficulty

intermediate

Category

Developer Tools

Market Demand

High

Revenue Score

6/10

Platform

CLI Tool

Vibe Code Friendly

⚡ Yes

Hackathon Score

🏆 7/10

Validated by Real Pain

— sourced from real community discussions

Hacker Newsreal demand

Developers shipping HTML deliverables and templates want a zero-server password protection option but currently have no maintained, modern CLI tool that produces a self-contained encrypted HTML file.

What is it?

The pain is real and loud on HN and r/webdev: developers shipping HTML reports, interactive prototypes, client deliverables, and paid templates want lightweight password protection without running a server. The current options are terrible — zip encryption is ugly, PDF conversion destroys interactivity, and SaaS tools add unnecessary dependencies. LockHTML solves this with a Node.js CLI that uses AES-256-GCM via the Web Crypto API to encrypt the HTML payload, then wraps it in a minimal vanilla JS decryption shell that runs entirely in the browser with zero external calls. The output is a single .html file you can email, upload to S3, or hand to a client. It takes a single npx command and 10 seconds. Buildable in one weekend — Node.js crypto is built-in, the decryption shell is under 80 lines of vanilla JS, and npm publish is free.

Why now?

The Web Crypto API is now universally supported across all modern browsers as of 2024, making zero-dependency client-side AES decryption finally reliable. The vibe-coding wave of May 2026 means thousands of developers are shipping HTML deliverables from AI tools and need lightweight protection.

  • Single npx command encrypts any HTML file with AES-256-GCM in under 5 seconds.
  • Self-contained decryption shell with zero external dependencies runs in any modern browser.
  • Optional expiry date flag that makes the file self-destruct after a set date.
  • Pro: custom branded password screen with logo and custom message.

Target Audience

Freelance developers, agencies, and indie hackers shipping HTML deliverables — roughly 800k developers who publish HTML reports or paid templates annually.

Example Use Case

Marcus, a freelance developer delivering an interactive HTML dashboard to a finance client, runs npx lockhtml encrypt --file dashboard.html --password secret123, emails the output file, and the client opens it in any browser and types the password — no server, no login, no drama.

User Stories

  • As a freelance developer, I want to password-protect an HTML deliverable with one command, so that only my client can open it without running a server.
  • As an indie hacker selling HTML templates, I want to add an expiry date to demo files, so that trial users are forced to purchase after 7 days.
  • As an agency developer, I want to brand the decryption screen with a client logo, so that the unlock experience feels professional.

Done When

  • Encryption: done when running the npx command produces a new .html file in under 5 seconds with no errors.
  • Decryption: done when opening the output file in Chrome shows a password prompt and entering the correct password renders the original page.
  • Expiry: done when opening an expired file shows an expiry message instead of the password prompt.
  • Pro gate: done when running with --brand flag without a valid license key prints an upgrade prompt and exits without producing output.

Is it worth building?

$49 one-time x 200 buyers in year 1 = $9,800. Pro SaaS at $9/month x 150 users = $1,350 MRR if converted. Math assumes HN Show post drives 2,000 installs at 2% paid conversion.

Unit Economics

CAC: $0 via organic HN and npm. LTV: $49 one-time per pro buyer. Payback: immediate. Gross margin: 97%.

Business Model

Open-source CLI free forever. Pro tier at $49 one-time for batch encryption, custom branding on decryption screen, and expiry dates.

Monetization Path

Free npm installs build trust and stars. One-time pro upgrade offered via Gumroad or Stripe payment link in the CLI output.

Revenue Timeline

First dollar: week 1 via Gumroad pro link in README. $1k revenue: month 2 from HN traffic. $5k revenue: month 6 via organic npm installs.

Estimated Monthly Cost

npm hosting: free, GitHub Actions CI: free, Stripe or Gumroad fees: ~$15. Total: ~$15/month.

Profit Potential

Side income at $500-$2k/month via one-time sales and occasional pro upgrades.

Scalability

Medium — add a GUI wrapper for non-dev users, SaaS API endpoint for batch processing, and WordPress plugin.

Success Metrics

Week 1: 500 npm installs and 200 GitHub stars from HN post. Month 1: 50 pro purchases. Month 3: 1,000 weekly installs.

Launch & Validation Plan

Post to HN Show with a one-line demo GIF showing the encrypt command and a browser decryption — measure stars in 48 hours.

Customer Acquisition Strategy

First customer: post to HN Show on a Tuesday morning with a working demo and link to npm package. Then: cross-post to r/webdev, r/node, and tweet the demo GIF tagging Cursor and Replit communities.

What's the competition?

Competition Level

Low

Similar Products

PageCrypt (similar concept but unmaintained and no expiry), HTMLPassword (abandonware), standard zip encryption (destroys interactivity) — LockHTML fills the maintained, modern, expiry-aware gap.

Competitive Advantage

No server required, no account, single npm command — lighter than every existing option by an order of magnitude.

Regulatory Risks

Low regulatory risk. Users are responsible for what they encrypt and distribute. Export controls on strong encryption (AES-256) are generally exempt for open-source software under EAR.

What's the roadmap?

Feature Roadmap

V1 (launch): AES encrypt, browser decrypt shell, expiry flag. V2 (month 2): custom brand screen, pro license gate, npm pro package. V3 (month 4+): GUI Electron wrapper, batch folder encryption, Raycast extension.

Milestone Plan

Phase 1 (Day 1-3): CLI encrypt and decrypt shell working end-to-end. Phase 2 (Week 2): expiry flag, pro brand feature, npm publish live. Phase 3 (Month 2): HN Show launch, 500 stars, 30 pro sales.

How do you build it?

Tech Stack

Node.js CLI, Web Crypto API (AES-256-GCM), vanilla JS decryption shell, npm package distribution — build with Cursor for CLI logic and shell generation.

Suggested Frameworks

Node.js built-in crypto, Commander.js for CLI, Rollup for bundle minification

Time to Ship

3 days

Required Skills

Node.js, Web Crypto API, CLI publishing to npm.

Resources

Node.js crypto docs, Commander.js docs, npm publish guide, Web Crypto API MDN reference.

MVP Scope

bin/lockhtml.js (CLI entry point), lib/encrypt.js (AES-256-GCM encryptor), lib/shell.js (generates decryption HTML shell), lib/embed.js (base64 payload embedder), templates/decrypt-screen.html (branded password UI), package.json (npm config), README.md (install and usage docs), .env.example (no env vars needed for free tier).

Core User Journey

npx lockhtml encrypt --file page.html --password secret -> single encrypted .html output in same directory -> email file to client -> client opens in browser and types password -> page decrypts and renders.

Architecture Pattern

CLI command -> reads input HTML file -> Node.js crypto encrypts payload with AES-256-GCM -> shell generator wraps ciphertext in vanilla JS decryptor -> outputs single .html file locally.

Data Model

No server-side data model. CLI input is a local HTML file. Output is a local encrypted HTML file. Pro license key validated client-side via simple hash check.

Integration Points

Node.js built-in crypto for AES-256-GCM, Commander.js for CLI arg parsing, Gumroad or Stripe for pro one-time payment, npm registry for distribution.

V1 Scope Boundaries

V1 excludes: GUI app, team license management, cloud storage of encrypted files, mobile decryption app, multi-file archive encryption.

Success Definition

A developer who has never heard of the tool finds it on npm, encrypts a file in under 60 seconds, and the recipient decrypts it in a browser without any instructions.

Challenges

This is a CLI tool with no recurring revenue hook — conversion to paid requires a genuinely useful pro feature. The hardest problem is getting npm downloads without a marketing budget: it lives or dies on a single well-timed HN Show post.

Avoid These Pitfalls

Do not add a server-side license validation step — it defeats the zero-dependency promise. Do not over-engineer the decryption UI before validating that anyone pays for the pro tier. First 10 paying customers will come from HN, not SEO.

Security Requirements

AES-256-GCM with random IV per encryption, password is never stored or transmitted, pro license key uses HMAC-SHA256 local verification, no telemetry or analytics by default.

Infrastructure Plan

npm for package hosting (free), GitHub for source and Actions CI, Gumroad for pro payment page — total infrastructure cost near zero.

Performance Targets

Encrypt a 500KB HTML file in under 2 seconds on any modern laptop. Browser decryption renders in under 1 second after correct password entry. No server roundtrips.

Go-Live Checklist

  • AES encrypt and decrypt tested in Chrome, Firefox, Safari.
  • Payment link tested end-to-end on Gumroad.
  • Sentry not needed (CLI tool, no server).
  • npm publish dry-run verified.
  • README with demo GIF published.
  • License terms and MIT license file added.
  • 3 beta devs tested and confirmed it works.
  • Rollback: previous npm version tagged.
  • HN Show post drafted and scheduled for Tuesday 9am ET.

First Run Experience

On first run: npx lockhtml --help prints usage examples with a sample command. User can immediately run the sample encrypt command on any local HTML file. No manual config required: no API keys, no accounts, no env vars.

How to build it, step by step

1. Define CLI API contract: lockhtml encrypt --file --password --expires --brand as Commander.js spec. 2. Run npm init and set up bin entry point in package.json. 3. Implement AES-256-GCM encrypt function in lib/encrypt.js using Node built-in crypto. 4. Build the vanilla JS decryption shell template in templates/decrypt-screen.html with a password form and inline Web Crypto decrypt logic. 5. Write lib/embed.js to base64-encode encrypted payload and inject into shell template. 6. Add --expires flag that embeds a JS date check into the shell that blanks the page after the expiry timestamp. 7. Add --brand flag (pro gate) that injects a custom logo URL and message into the password screen. 8. Write pro license key check using a simple HMAC hash verified locally. 9. Publish to npm with npx support and write a concise README with a demo GIF. 10. Verify: run npx lockhtml encrypt on a sample HTML file, open output in Chrome and Firefox, type password, confirm page renders correctly, then test expiry with a past date.

Generated

May 7, 2026

Model

claude-sonnet-4-6

← Next

ScopeArmor — Paste Your Client Chat, Get a Dispute-Ready Response Letter in 60 Seconds

Previous →

FlashNote — YouTube Video to Structured Notes and Flashcards in One Click

Disclaimer: Ideas on this site are AI-generated and may contain inaccuracies. Revenue estimates, market demand figures, and financial projections are illustrative assumptions only — not financial advice. Do your own research before making any business or investment decisions. Technology availability, pricing, and market conditions change rapidly; always verify details independently.