johnbaconator wrote on September 3, 2025 at 9:29 AM

I'm guessing the best backend would be anything that does serverside rendering (SSR), like PHP. This means the HTML page is built on the server dynamically before it is sent to your web browser. Many people on the darkweb use javascript blockers so any sort of interactivity will likely be broken, so no React or whatever people use nowadays. PHP is a great choice because of how old it is and how easy it is to set up, though anything is fair game. I personally use Blazor (C#) for my website and it lets me create reusable components and easy integration with databases through EF Core

dev OP wrote on September 3, 2025 at 10:18 AM

Seems like PHP the way for darknet. As you mention, even I am using JS blockers on my browser while surfing on darknet. I never work with C# ecosystem but I heard about Blazor. Looks fine for darknet as long as not creating any JS on client side.

Thank you for sharing your experience.

hypertext8589 wrote on August 29, 2025 at 3:40 PM

PHP is a fine choice, but I'd use NextJS personally. I wouldn't go for NoJS, but it's entirely possible to create 100% NoJS website (even forum, imageboard, store) using NextJS. You need to learn a bit of modern web technology to understand how this works. My best suggestion is to talk to ChatGPT about web development in context of I2P and keep asking questions for clarification until you get all the details.

dev OP wrote on August 29, 2025 at 4:36 PM

I am using Nuxt.js and Vue.js on my professional job. But whenever I research about creating webapp or website on hidden service or i2p, people start talking about how unsecure JS. Even some of the marketplaces on hidden services have two options, no js and js modes. Already talked a bit with ChatGPT but seems like not giving any good answer, that's why decided to create this post.

Maybe I will go with PHP on backend and Pure HTML, CSS on frontend. Seems like it will take a lot of time to setup my boilerplate. Thank you for answer :)

cumlord wrote on August 29, 2025 at 5:47 PM (edited on August 29, 2025 at 5:53 PM)

don't think that's a bad idea. probably any decent web framework just with html/css would probably be fine. http://terminus.i2p does this with php/html/css, it's source is on http://git.simp.i2p/fuzzykitten/dev_endboard. i've used flask a lot for some things like http://git.simp.i2p/simp/i2music. there's a rust based wsgi/asgi server granian that offers better performance over the normal gunicorn/uvicorn, also some good web frameworks in rust too though not as mature as many of the standard options. there's vulnerability scanners active in i2p even if you don't publish it to a registrar just to keep in mind, i'm always a little concerned about which endpoints are exposed and how they'd be abused

dev OP wrote on September 3, 2025 at 10:14 AM

Flask also good option on backend but it's been a while I don't use python, and don't feel productive the syntax :) Thank you for sending me scanners tools tho, I will definitely gonna check it out before publishing it.

Seems like PHP + HTML + CSS still solid option for my case. I still wanna figure out how can I find a way to become more productive on PHP. I like the Laravel ecosystem but seems like most of the frontend from JS tech which is not suitable for me. I checked the symfony but seems like they are also continue with some other JS tech on frontend.

Thanks for your comment and good projects

cumlord wrote on September 4, 2025 at 8:34 PM (edited on September 4, 2025 at 8:37 PM)

yea use what you're gonna be most productive with. i2p+ has a good throttle/filter system that helps a lot, not a lot of problems because of that, but like if you try to host a wordpress site here with i2pd you're gonna have a bad time

sort of fun challenge for me to try doing stuff without js, depends what you wanna do though, but get pretty far using some combination of frames refresh and cookies. http://simp.i2p/chat is jank, no doubt, but, no js needed lmao. possibly relevant to your security outfit, the chat page http://simp.i2p/botcheck attempts to do a bot challenge with css. unless you're specifically worried about bot spam that's completely unnecessary, just giving some ideas for stuff that can be done without js

lots of neat css tricks out there, like http://simp.i2p/search the styled dropdown is a checkbox, and http://gatheryourparty.i2p has a star rating on the posts but the stars are radio buttons. snex has that one setup with a ruby backend

not so familiar with those ecosystems, but think it's a little slower getting started like this but once you've got some templates it gets faster ;)

hypertext8589 wrote on August 29, 2025 at 5:37 PM

By "unsecure JS" they usually mean the fact that clientside javascript can make XHR requests to clearnet servers that try to impersonate you. It was historically an attack vector during the early days of I2P when the recommended way to use it was FoxyProxy which was installed in your normal browser and only routed through your 4444 links ending with "*.i2p". This setup was unsecure as fuck because clearnet XHR requests from i2p page weren't routed through i2p and thus revealed your real IP address. I think those days are long gone and people mostly don't use I2P like that. I personally use "multi-account containers" Firefox extension and everything within I2P container is required to route through 4444 even if it's XHR to clearnet. Average users probably use a dedicated browser or run it within Tor browser. And even then, if you still consider clientside JS to be unsecure, in case of tech like NextJS when you can have purely serverside JS, it's no different from PHP. Idk about Nuxt, but I assume you can also have 100% SSR there.

rav wrote on September 2, 2025 at 4:02 PM

hono looks pretty interesting for building a website without client javascirpt.

dev OP wrote on September 3, 2025 at 10:09 AM

Looks promising but looks like cloudflare backed, in documentation they showing cloudflare and other cloud providers deployment ways. If I would create something on hidden service or i2p, i probably would host myself, i mean managing on linux server with Nginx. I assume you can do it with pm2 but still not like strong way to manage. In the other hand, I didn't find any template engine like pug on node.js, maybe I couldn't find it. Thanks for writing it tho, learned a new tech on JS ecosystem :)

rav wrote on September 3, 2025 at 10:05 PM

i forgot to mention this in the first post but i recommended hono because you can use jsx for templating https://hono.dev/docs/guides/jsx for hosting you should deno or bun instead of node. you might get better performence

dev OP wrote on September 4, 2025 at 9:00 AM

Are you sure this JSX template not gonna generate any JS on client side? I have a doubt about it :)

Recommended web technologies for I2P and Tor projects

Comments