From 53dd416c17e5fd3308cf258625d7081d274f24c8 Mon Sep 17 00:00:00 2001 From: Kharec Date: Sun, 1 Mar 2026 12:59:36 +0100 Subject: [PATCH] docs: update readme --- README.md | 52 +++++++++++++++++++++++++++++++--------------------- 1 file changed, 31 insertions(+), 21 deletions(-) diff --git a/README.md b/README.md index 83622da..3140cc4 100644 --- a/README.md +++ b/README.md @@ -11,6 +11,14 @@ A secure, self-hostable "burn after reading" paste service with ephemeral storag - Fast and reliable - Written in Gleam (type-safe) +## Architecture + +- Gleam: Type-safe language built upon the BEAM +- Web: Wisp framework + Mist HTTP server +- Frontend: Lustre for HTML rendering +- Storage: In-memory only (no persistence) +- Security: AES-256-GCM client-side encryption, CSRF tokens, rate limiting, security headers + ## Configuration ### SECRET_KEY_BASE (Required for Production) @@ -50,6 +58,29 @@ gleam run The server starts on `http://localhost:3000`. +## Docker image+deployment + +### Build + +```bash +docker build -t spasteg . +``` + +### Run + +```bash +# Generate a secure key +docker run -p 3000:3000 -e SECRET_KEY_BASE=$(openssl rand -base64 48) spasteg +``` + +**With custom port:** + +```bash +docker run -p 8080:3000 -e SECRET_KEY_BASE=$(openssl rand -base64 48) -e PORT=3000 spasteg +``` + +The container exposes port 3000 and runs as a non-root user with a health check configured. + ## Usage 1. Visit `http://localhost:3000` @@ -60,27 +91,6 @@ The server starts on `http://localhost:3000`. Note: the creator cannot see their post with the copied link (except in private browsing) - it would be burned immediately. -## Architecture - -- **Gleam**: Type-safe language built upon the BEAM -- **Web**: Wisp framework + Mist HTTP server -- **Frontend**: Lustre for HTML rendering -- **Storage**: In-memory only (no persistence) -- **Security**: AES-256-GCM client-side encryption, CSRF tokens, rate limiting, security headers - -## Security Notes - -- Pastes are client-side encrypted (AES-256-GCM) before being sent to server -- Server never sees the decryption key (stored in URL fragment after `#`) -- Data is stored **encrypted** in server memory only -- Data is **never written to disk** -- All data is lost on server restart -- CSRF protection via double-submit cookie pattern -- Rate limiting: 10 requests per IP (resets on server restart) -- Security headers: CSP, X-Frame-Options, X-Content-Type-Options, Referrer-Policy -- 10MB maximum paste size limit -- Intended for ephemeral sharing only — do not store sensitive data - ## License This project is licensed under the GNU General Public License v3.0 or later (GPLv3+). See the [LICENSE](LICENSE) file for details.