browse remote zip files without downloading them
we send a HEAD request to the url to check if the server supports Accept-Ranges: bytes. this tells us we can request specific byte ranges instead of downloading the entire file. we also detect whether the connection uses HTTP/2 for multiplexed requests.
zip files store their table of contents (the "central directory") at the end of the file. we use a range request to fetch just the last 16 KB, which contains the end-of-central-directory record. from that, we learn where the full directory listing lives and fetch it — typically a few KB even for archives with thousands of files.
we parse every entry in the central directory — file names, sizes, compression methods, offsets — and build an interactive file tree. at this point we've downloaded a tiny fraction of the archive but can see everything inside it.
when you pick files, we send targeted range requests for just those files' byte ranges. each request fetches the local file header + compressed data. on HTTP/2, all requests are multiplexed over a single connection for maximum speed.
compressed files are inflated client-side using fflate (a fast, pure-js deflate implementation). every file is verified against its CRC-32 checksum from the central directory to ensure integrity. then it's offered as a browser download.
zip.see supports AES-128 and AES-256 encrypted archives (the WinZip AES standard). when you select encrypted files, you're prompted for the password once. key derivation (PBKDF2-SHA1) and decryption (AES-CTR) happen entirely in your browser using the native Web Crypto API — your password never leaves the page. AES-CTR mode allows each 16-byte block to be decrypted independently, so it works naturally with range requests. file integrity is verified via HMAC-SHA1 and CRC-32.
browsers block cross-origin requests by default. when the zip file is on a different domain, requests are routed through a lightweight cloudflare worker that forwards range headers and adds the necessary cors headers. same-origin requests skip the proxy entirely.
everything runs in your browser. no file data touches our servers — the cors proxy only streams bytes through, never stores them. passwords and decrypted data stay in your browser's memory and are never transmitted. zip64 archives (>4 GB) are supported.