I'm still kinda lost on nostr keys safety. I've generated them on astral.ninja and I'm using the same website to browse. Since we are not using signing devices and private keys needs to be on the computer, maybe even on the site server, I guess I don't have total control.
Discussion
Look into using the extension nos2x. It's a signing device / extension.
Thanks! nos2x up and running. Now I'll look into removing private keys from astral.ninja, or just remove cookies and login again, if it's all client side.
I didn’t review the code, but I would expect that keys are generated client-side and that private key doesn’t leave the browser storage
I did not review the code either, but this is how I believe it works. Both keys are stored in local browser storage unless you use a signing extension, then only the public key is stored there.