Kharec/spasteg
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

docs: update readme

Browse Source
This commit is contained in:
Sandro CURY CAZZANIGA
2026-03-01 12:59:36 +01:00
parent 31da68b6c1
commit 53dd416c17
1 changed files with 31 additions and 21 deletions
Download Patch File Download Diff File Expand all files Collapse all files

52
README.md
View File

@@ -11,6 +11,14 @@ A secure, self-hostable "burn after reading" paste service with ephemeral storag
- Fast and reliable
- Written in Gleam (type-safe)
## Architecture
- Gleam: Type-safe language built upon the BEAM
- Web: Wisp framework + Mist HTTP server
- Frontend: Lustre for HTML rendering
- Storage: In-memory only (no persistence)
- Security: AES-256-GCM client-side encryption, CSRF tokens, rate limiting, security headers
## Configuration
### SECRET_KEY_BASE (Required for Production)
@@ -50,6 +58,29 @@ gleam run
The server starts on `http://localhost:3000`.
## Docker image+deployment
### Build
```bash
docker build -t spasteg .
```
### Run
```bash
# Generate a secure key
docker run -p 3000:3000 -e SECRET_KEY_BASE=$(openssl rand -base64 48) spasteg
```
**With custom port:**
```bash
docker run -p 8080:3000 -e SECRET_KEY_BASE=$(openssl rand -base64 48) -e PORT=3000 spasteg
```
The container exposes port 3000 and runs as a non-root user with a health check configured.
## Usage
1. Visit `http://localhost:3000`
@@ -60,27 +91,6 @@ The server starts on `http://localhost:3000`.
Note: the creator cannot see their post with the copied link (except in private browsing) - it would be burned immediately.
## Architecture
- **Gleam**: Type-safe language built upon the BEAM
- **Web**: Wisp framework + Mist HTTP server
- **Frontend**: Lustre for HTML rendering
- **Storage**: In-memory only (no persistence)
- **Security**: AES-256-GCM client-side encryption, CSRF tokens, rate limiting, security headers
## Security Notes
- Pastes are client-side encrypted (AES-256-GCM) before being sent to server
- Server never sees the decryption key (stored in URL fragment after `#`)
- Data is stored **encrypted** in server memory only
- Data is **never written to disk**
- All data is lost on server restart
- CSRF protection via double-submit cookie pattern
- Rate limiting: 10 requests per IP (resets on server restart)
- Security headers: CSP, X-Frame-Options, X-Content-Type-Options, Referrer-Policy
- 10MB maximum paste size limit
- Intended for ephemeral sharing only — do not store sensitive data
## License
This project is licensed under the GNU General Public License v3.0 or later (GPLv3+). See the [LICENSE](LICENSE) file for details.