81 lines
2.6 KiB
Markdown
81 lines
2.6 KiB
Markdown
# 🔥 SecureBurn
|
|
A ultra-minimalist, zero-dependency Node.js "PrivateBin" clone. It allows users to share encrypted secrets that self-destruct (burn) immediately after the first access.
|
|
|
|
# 🛡️ Security Model: Zero-Knowledge
|
|
Encryption: AES-256-GCM encryption happens entirely in the sender's browser.
|
|
|
|
Privacy: The decryption key is stored in the URL after the # symbol (the fragment identifier).
|
|
|
|
Blind Storage: Browsers do not send the URL fragment to the server. Therefore, the server only ever sees and stores encrypted binary data. It has no way to read your secrets.
|
|
|
|
Self-Destruction: The server deletes the encrypted file from the disk the moment it is streamed to a recipient.
|
|
|
|
# 🚀 Getting Started
|
|
## Prerequisites
|
|
|
|
Node.js (v16.0.0 or higher recommended)
|
|
No package manager (npm/yarn) is required.
|
|
|
|
## Installation & Running
|
|
|
|
Clone or copy the three files (server.js, index.html, auth.json) into a directory.
|
|
|
|
Start the server:
|
|
|
|
```Bash
|
|
node server.js
|
|
```
|
|
Access the UI: Open http://localhost:3000 in your browser.
|
|
|
|
|
|
# 🛠️ Configuration
|
|
The application is designed to be plug-and-play. You can modify the constants at the top of server.js:
|
|
|
|
PORT: The port the server listens on (default: 3000).
|
|
|
|
DATA_DIR: Where encrypted blobs are stored (default: ./data).
|
|
|
|
MAX_SIZE_BYTES: Maximum secret size (default: 10MB).
|
|
|
|
# 📡 API Usage
|
|
You can create burn codes programmatically without using the web UI.
|
|
|
|
Create a Secret
|
|
|
|
Endpoint: POST /api/secret
|
|
|
|
Body: Raw binary data (the encrypted payload).
|
|
|
|
Example using curl:
|
|
|
|
```Bash
|
|
curl -X POST --data-binary "@encrypted_file.bin" http://localhost:3000/api/secret
|
|
Response:
|
|
|
|
JSON
|
|
{ "id": "550e8400-e29b-41d4-a716-446655440000" }
|
|
```
|
|
|
|
# 📋 Features
|
|
Zero Dependencies: Uses only native Node.js modules (http, fs, crypto, path).
|
|
|
|
10MB Capacity: Handles large text blocks or small files.
|
|
|
|
One-Click Copy: Generated links are automatically copied to the clipboard.
|
|
|
|
Mobile Friendly: Clean, responsive "Chat-style" UI.
|
|
|
|
Secure Erasure: Uses fs.unlink to ensure the file is removed from the filesystem after one read.
|
|
|
|
# ⚠️ Important Notes
|
|
Persistence: Since it uses the file system, secrets will survive a server restart until they are burned.
|
|
|
|
HTTPS: To use the Web Crypto API (window.crypto), this app must be served over HTTPS in production (except for localhost).
|
|
|
|
|
|
# Todo
|
|
- tested only on macos using safari (not sure if works on other platforms)
|
|
- example of how to use the api ( i think we need another script to alse generate the jwt as well )
|
|
- add some method to delete secrets that have not been accessed within a certain time frame.
|
|
- add some method to expiry secrets (e.g. when creating, maybe define how long they should be valid for)
|