Frustrated by the subscription traps and mandatory logins of modern bookmark managers, developer Aditya Chakraborty decided to build a simpler alternative. The result is Squirrel, a $9 bookmark tool that operates entirely in the browser, stores data locally, and requires no external servers. Here’s how it works—and what he learned along the way.
Why a zero-server design makes sense
The core idea behind Squirrel is straightforward: eliminate the need for a backend entirely. Most bookmark managers rely on cloud databases, user accounts, and recurring fees, but Chakraborty wanted something that worked offline by default. The browser, with its built-in storage capabilities, became the entire infrastructure.
This approach eliminates common pain points:
- No account creation or password resets
- No synchronization delays between devices
- No recurring costs for server maintenance
- Full privacy, since data never leaves the user’s machine
The only exceptions to this serverless model are three controlled interactions:
- Static hosting via Cloudflare Pages, which delivers the app’s files
- Anonymous analytics using a cookieless Cloudflare beacon
- License validation through a single Cloudflare Worker when a user enters a premium key
Every other operation—saving bookmarks, managing sections, applying settings—happens entirely within the browser.
Leveraging IndexedDB for offline storage
Developers typically turn to external databases like PostgreSQL or Firebase for structured data, but browsers already include a powerful built-in option: IndexedDB. Unlike localStorage, which is limited to simple key-value pairs, IndexedDB functions as a full document database, capable of storing complex objects without network requests.
Squirrel uses four IndexedDB stores to organize its data:
bookmarksfor sections and linkssettingsfor user preferences like theme and layoutautoBackupsfor rolling 30-minute snapshots of the entire datasetdailyBackupsfor named backups retained for seven days (a premium feature)
This local-first design ensures that even if the app is closed or the browser crashes, all data remains intact. The browser itself acts as the database, eliminating the need for a remote server to persist information.
Selling a premium app without a user account
The biggest challenge wasn’t technical—it was monetization. Without a user account system, how do you prevent users from accessing premium features without paying? The solution was a hybrid approach using a minimal backend.
When a user purchases Squirrel on Gumroad, they receive a license key like BM-XXXX-XXXX-XXXX. To activate premium features, the app sends this key to a Cloudflare Worker, which validates it against Gumroad’s API. If the key is valid, the Worker returns a response, and the app caches the result locally with a tamper-resistant token—a salted hash combining the key and timestamp.
On subsequent launches, the app checks this cached token instead of making repeated validation requests. If a user manually alters their localStorage to fake the cache, the hash won’t match, and the app reverts them to the free tier. While this system isn’t foolproof, it’s sufficient for a $9 purchase where most users won’t attempt reverse engineering.
Prioritizing security in a client-side app
In a traditional web app, security happens on the server—sanitizing inputs, validating requests, and controlling access. But with Squirrel, the browser becomes the security perimeter. Every input and output passes through client-side code, which required intentional hardening.
Key security measures include:
- Input sanitization: All bookmark URLs are filtered against a protocol allowlist, blocking
javascript:anddata:schemes entirely. User-generated text—like section names or bookmark titles—is HTML-escaped before rendering to prevent XSS attacks.
- Strict CORS and rate limiting: The Cloudflare Worker handling license validation only accepts requests from the app’s domain (
squirrel.aditco.in) and enforces a 10-attempts-per-minute rate limit to deter brute-force attacks.
- Security headers: Cloudflare Pages sets critical headers like HSTS,
X-Frame-Options: DENY, andX-Content-Type-Options: nosniffto mitigate common web vulnerabilities.
- No third-party favicon service: An earlier version relied on Google’s favicon proxy, which could track every URL bookmarked. The team replaced this with direct
favicon.icorequests to each site, ensuring browsing habits stay private.
These measures don’t make the app unhackable, but they reinforce the core value proposition: user data never leaves their device, and privacy isn’t an afterthought.
A minimal tech stack with maximum simplicity
Squirrel’s entire codebase consists of just two JavaScript files and a single HTML document:
app.jshandles the UI, event handling, rendering, and business logicindexedDB.jsmanages data persistence- No framework, no build step (except production obfuscation), and no external dependencies
The decision to avoid frameworks like React or Vue was intentional. A bookmark manager’s DOM operations are simple enough to handle with vanilla JavaScript, and the app’s design prioritizes portability. Users can download the squirrel.html file, open it in any modern browser, and start using it immediately—no installation, no setup.
For production, the source code is obfuscated using javascript-obfuscator, bundled into a single file, and deployed to Cloudflare Pages via GitHub Actions. This approach keeps the app lightweight, fast, and easy to maintain.
Lessons from the build
Chakraborty shared one key takeaway from the project: ship the documentation alongside the product. Before launching Squirrel on Product Hunt, he published a detailed technical article explaining its architecture. The post generated 200 visitors on launch day, sparked conversations about zero-server designs, and helped validate interest before the tool itself was widely adopted.
Building a zero-server app isn’t for every use case, but for tools focused on privacy and simplicity, it’s a compelling alternative to traditional cloud-based services. Squirrel proves that sometimes, the most innovative architecture is the one you don’t need to build at all.
AI summary
Squirrel, sunucu etkileşimi olmadan geliştirilmiş bir bookmark yöneticisidir. Uygulama, yerel olarak veri depolama ve güvenlik önlemleri alarak kullanıcıların verilerini korur.
