The Beginning
I started coding in 2023 as a self-taught developer. Within months, I was building full-stack applications with React, Next.js, and Node.js. But it was when I learned about encryption and cybersecurity that everything clicked — I wanted to build something that matters.
SecureVault started as a simple Flask app to store passwords. It's now a 14,000+ line production application with AES-256 encryption, a Chrome extension, admin dashboard, payment system, and more.
The Architecture
Why Python + Flask?
I chose Flask for its flexibility and Python's excellent cryptography libraries. Flask lets you build exactly what you need without framework bloat. For a security-focused application, having control over every component is essential.
Database Strategy
SecureVault uses a dual-database architecture:
- MongoDB (primary): Stores encrypted passwords, keys, 2FA data, and user profiles. Chosen for flexibility and Render.com compatibility.
- SQLAlchemy/PostgreSQL: Optional SQL layer for structured data and local development.
- Google Drive API: Primary storage for encrypted files and documents.
Encryption Layer
The encryption system went through 3 major iterations:
- v1: Simple Fernet encryption — worked but wasn't true zero-knowledge
- v2: User-specific keys derived from master passwords with PBKDF2
- v3 (current): Full AES-256-CBC with 100,000+ iteration PBKDF2 key derivation, unique IV per record, and zero-knowledge architecture
The Chrome Extension
Building the Chrome extension was one of the most challenging parts. Manifest V3 brought major changes to how extensions work:
- Service workers replaced persistent background pages
- Content scripts needed careful DOM manipulation for inline vault icons
- Form detection required heuristic matching across thousands of different login page designs
- Token management needed secure storage without exposing credentials
The result: an extension that detects login forms, shows inline icons, auto-fills credentials with one click, and displays 2FA codes — all while maintaining security.
Challenges I Faced
Deployment on Render
Render.com's free tier has ephemeral storage — files are lost on restart. This forced me to build a robust MongoDB + Google Drive persistence layer. Every piece of user data is synced to permanent storage, with automatic restore on cold starts.
Rate Limiting
Without rate limiting, the login page was vulnerable to brute-force attacks. I implemented Flask-Limiter with IP-based and user-based limits. The challenge was balancing security (blocking attackers) with usability (not blocking legitimate users on shared IPs).
Session Management
Flask sessions needed to work across Render's potentially rotating instances while maintaining security. I used server-side sessions with proper encryption and timeout policies.
What I'd Do Differently
- Start with TypeScript for the frontend — type safety prevents entire categories of bugs
- Use WebSocket for real-time features instead of polling
- Implement E2E tests from day one
- Design the API first — the extension API was retrofitted, which caused some inconsistencies
The Numbers
- 14,000+ lines of Python code
- 2,000+ lines of JavaScript (extension + frontend)
- 50+ API endpoints
- 20+ template pages
- 5 encryption/security modules
- 1 passionate developer
What's Next
SecureVault will continue to evolve. Planned features include mobile apps, advanced password sharing with team vaults, passkey support, and breach monitoring integrations. The goal remains the same: make security accessible to everyone, for free.
If you want to contribute, the code is on GitHub. If you want to hire me for your project, reach out at nafijthepro@gmail.com.
— Nafij Rahaman