💬 SecurePaste

A secure, encrypted-at-rest, and privacy-focused text sharing service for sensitive snippets with advanced security features.

Overview

SecurePaste is a modern text sharing application designed with security and privacy in mind. Unlike traditional text sharing services, SecurePaste encrypts content on the server before storing it, ensuring that database contents remain protected if storage alone is exposed. The application offers features like password protection, customizable expiration times, and raw content viewing, all wrapped in a clean, intuitive interface.

Security Updates

1. Safer IP handling The rate limiter no longer trusts X-Real-IP by default. This helps prevent users from bypassing limits by sending a fake IP header.

2. Production-ready rate limiting Added Redis-backed rate limiting for production environments. This makes rate limits more reliable across multiple app instances.

3. Improved memory fallback The in-memory rate limiter now removes empty keys and limits its own growth. This helps prevent unnecessary memory usage over time.

4. Safer paste ID generation Replaced random.choices with secrets.choice for paste ID generation. Paste IDs are now generated with a more secure randomness source.

5. Stricter encryption key handling Removed unsafe Fernet key padding. The encryption key is now validated exactly as provided instead of being silently modified.

6. Required production secrets Added mandatory checks for SECRET_KEY, ENCRYPTION_KEY, and production Redis settings. The app now refuses unsafe production configuration.

7. Password length limit Added a password length limit before bcrypt hashing. This helps protect the server from expensive hashing requests with extremely long passwords.

8. Safer raw paste access Password-protected pastes can now be opened through /raw/<paste_id> using POST with CSRF protection.

9. Security headers Added security headers, including X-Content-Type-Options: nosniff, to reduce the risk of unsafe browser behavior.

10. More accurate view counting Paste views are now counted only once per session. This makes view numbers more reliable and harder to inflate accidentally.

11. Encryption wording fixed Removed incorrect claims about end-to-end encryption from the README and templates. The service now accurately describes encryption as server-side encryption at rest.

Features

SecurePaste offers a comprehensive set of features focused on security and usability:

• Server-Side Encryption at Rest: All content is encrypted before being stored in the database using Fernet symmetric encryption.
• Password Protection: Add an extra layer of security by setting a password for your shared text.
• Customizable Expiration: Choose how long your content should be available (1 hour, 1 day, 1 month, 3 months, or 6 months).
• Rate Limiting: Protection against abuse through intelligent rate limiting on both viewing and creating content.
• CSRF Protection: Built-in protection against Cross-Site Request Forgery attacks.
• Raw Content View: Access your text in raw format for easy copying or downloading.
• Minimalist Design: Clean and responsive user interface that works across devices.
• Automatic Cleanup: Background task that removes expired content to maintain database efficiency.

Technologies

SecurePaste is built with modern, reliable technologies:

• Quart: An asynchronous Python web framework compatible with the ASGI standard
• MongoDB: A NoSQL database for flexible and scalable data storage
• Fernet Encryption: Symmetric encryption to protect paste content
• Bcrypt: Secure password hashing for protected pastes
• Async/Await: Leveraging Python's asynchronous capabilities for improved performance

Installation

Prerequisites

• Python 3.7 or higher
• MongoDB
• pip (Python package manager)

Setup

1. Clone the repository:

git clone https://github.com/lordofsunshine/securepaste.git
cd securepaste

2. Create a virtual environment:

python -m venv venv
source venv/bin/activate  # On Windows, use: venv\Scripts\activate

3. Install dependencies:

pip install -r requirements.txt

4. Create a .env file in the project root with the following variables:

SECRET_KEY=your_secret_key_here
ENCRYPTION_KEY=your_fernet_encryption_key_here
MONGO_URI=mongodb://localhost:27017/securepaste
SITE_URL=http://localhost:5000
RATE_LIMIT_BACKEND=redis
REDIS_URL=redis://localhost:6379/0

To generate a secure Fernet key, you can use:

from cryptography.fernet import Fernet
print(Fernet.generate_key().decode())

5. Start the application:

python app.py

The application will be available at http://localhost:5000.

Deployment

For production deployment, it's recommended to use a production ASGI server such as Hypercorn or Uvicorn. You should also ensure that:

• HTTPS is enabled
• Environment variables are securely set
• A production MongoDB instance is used
• Redis-backed rate limiting is enabled with RATE_LIMIT_BACKEND=redis and REDIS_URL

Example deployment with Hypercorn:

pip install hypercorn
hypercorn app:app --bind 0.0.0.0:8000

License

This project is licensed under the MIT License - see the LICENSE file for details.