Spearhead/privateburn
2
0
Fork 1
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity
privateburn/README.md
Marius Pana 09139f0681 engage
2026-01-15 13:38:02 +02:00

2.6 KiB
Raw Blame History

🔥 SecureBurn

A ultra-minimalist, zero-dependency Node.js "PrivateBin" clone. It allows users to share encrypted secrets that self-destruct (burn) immediately after the first access.

🛡️ Security Model: Zero-Knowledge

Encryption: AES-256-GCM encryption happens entirely in the sender's browser.

Privacy: The decryption key is stored in the URL after the # symbol (the fragment identifier).

Blind Storage: Browsers do not send the URL fragment to the server. Therefore, the server only ever sees and stores encrypted binary data. It has no way to read your secrets.

Self-Destruction: The server deletes the encrypted file from the disk the moment it is streamed to a recipient.

🚀 Getting Started

Prerequisites

Node.js (v16.0.0 or higher recommended) No package manager (npm/yarn) is required.

Installation & Running

Clone or copy the three files (server.js, index.html, auth.json) into a directory.

Start the server:

node server.js

Access the UI: Open http://localhost:3000 in your browser.

🛠️ Configuration

The application is designed to be plug-and-play. You can modify the constants at the top of server.js:

PORT: The port the server listens on (default: 3000).

DATA_DIR: Where encrypted blobs are stored (default: ./data).

MAX_SIZE_BYTES: Maximum secret size (default: 10MB).

📡 API Usage

You can create burn codes programmatically without using the web UI.

Create a Secret

Endpoint: POST /api/secret

Body: Raw binary data (the encrypted payload).

Example using curl:

curl -X POST --data-binary "@encrypted_file.bin" http://localhost:3000/api/secret
Response:

JSON
{ "id": "550e8400-e29b-41d4-a716-446655440000" }

📋 Features

Zero Dependencies: Uses only native Node.js modules (http, fs, crypto, path).

10MB Capacity: Handles large text blocks or small files.

One-Click Copy: Generated links are automatically copied to the clipboard.

Mobile Friendly: Clean, responsive "Chat-style" UI.

Secure Erasure: Uses fs.unlink to ensure the file is removed from the filesystem after one read.

⚠️ Important Notes

Persistence: Since it uses the file system, secrets will survive a server restart until they are burned.

HTTPS: To use the Web Crypto API (window.crypto), this app must be served over HTTPS in production (except for localhost).

Todo

  • tested only on macos using safari (not sure if works on other platforms)
  • add some method to delete secrets that have not been accessed within a certain time frame.
  • add some method to expiry secrets (e.g. when creating, maybe define how long they should be valid for)