Kharec/spasteg
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity
22 Commits 1 Branch 0 Tags
3bb857ec19e13e474ffc209fdbd59080d59a5eed
Go to file
Clone
Open with VS Code Open with VSCodium Open with Intellij IDEA
Download ZIP Download TAR.GZ Download BUNDLE
Kharec 3bb857ec19 docs: update readme
2026-03-01 12:14:38 +01:00
src
clean: ultimately, we're not implementing a reset
2026-03-01 12:13:52 +01:00
test
test: we should write some
2026-03-01 08:40:41 +01:00
.gitignore
git: ignore
2026-03-01 08:10:49 +01:00
gleam.toml
fix: avoid using quotation marks in the description, even escaped one
2026-03-01 08:49:10 +01:00
LICENSE
Initial commit
2026-02-28 21:10:12 +01:00
manifest.toml
gleam: add manifest
2026-03-01 08:40:35 +01:00
README.md
docs: update readme
2026-03-01 12:14:38 +01:00

README.md

spasteg

A secure, self-hostable "burn after reading" paste service with ephemeral storage written in Gleam.

Features

  • Deletes pastes after they are viewed
  • Data is stored only in memory
  • No user accounts needed
  • Easy to run yourself
  • Fast and reliable
  • Written in Gleam (type-safe)

Configuration

SECRET_KEY_BASE (Required for Production)

The application uses a secret key base for signing cookies and security tokens.

You must set this for production deployments to ensure security and session persistence across restarts.

# Generate a secure key (48 bytes of random data)
export SECRET_KEY_BASE=$(openssl rand -base64 48)

# Or set it manually
export SECRET_KEY_BASE="your-secret-key-here"

⚠️ Warning: If not set, a temporary key will be generated on each startup. This:

  • Invalidates all existing user sessions/cookies after restart
  • Reduces security (new key generated each time)
  • Generates a warning in the logs

For development, you can use:

SECRET_KEY_BASE=dev gleam run

Quick Start

# Clone and build
git clone https://git.kharec.info/Kharec/spasteg.git
cd spasteg
gleam run

The server starts on http://localhost:3000.

Usage

  1. Visit http://localhost:3000
  2. Enter your text in the form
  3. Click "Create Paste"
  4. Share the generated URL
  5. The paste auto-destructs after first access

Note: the creator cannot see their post with the copied link (except in private browsing) - it would be burned immediately.

Architecture

  • Gleam: Type-safe language built upon the BEAM
  • Web: Wisp framework + Mist HTTP server
  • Frontend: Lustre for HTML rendering
  • Storage: In-memory only (no persistence)
  • Security: AES-256-GCM client-side encryption, CSRF tokens, rate limiting, security headers

Security Notes

  • Pastes are client-side encrypted (AES-256-GCM) before being sent to server
  • Server never sees the decryption key (stored in URL fragment after #)
  • Data is stored encrypted in server memory only
  • Data is never written to disk
  • All data is lost on server restart
  • CSRF protection via double-submit cookie pattern
  • Rate limiting: 10 requests per IP (resets on server restart)
  • Security headers: CSP, X-Frame-Options, X-Content-Type-Options, Referrer-Policy
  • 10MB maximum paste size limit
  • Intended for ephemeral sharing only — do not store sensitive data

License

This project is licensed under the GNU General Public License v3.0 or later (GPLv3+). See the LICENSE file for details.

Reference in New Issue View Git Blame Copy Permalink
Description
A secure self-hostable burn-after-reading paste service
gleam
Readme GPL-3.0 287 KiB
Languages
Gleam 97.8%
Dockerfile 2.2%