Skip to content
/ secret Public

A simple php (lumen) app for sharing sensitive text (basically like onetimesecret), but with full end-to-end AES-256-GCM encryption so even the server has no access to the data, and developed with very simple deployment in mind.

License

GPL-2.0 license
51 stars 4 forks Branches Tags Activity
Star
Notifications You must be signed in to change notification settings

alancwoo/secret

BranchesTags

Folders and files

NameName
Last commit message
Last commit date

Latest commit

 

History

33 Commits

app

app

 
 

bootstrap

bootstrap

 
 

database

database

 
 

public

public

 
 

resources

resources

 
 

routes

routes

 
 

storage

storage

 
 

tests

tests

 
 

.editorconfig

.editorconfig

 
 

.env.example

.env.example

 
 

.gitignore

.gitignore

 
 

.htaccess

.htaccess

 
 

.styleci.yml

.styleci.yml

 
 

LICENSE.md

LICENSE.md

 
 

README.md

README.md

 
 

artisan

artisan

 
 

composer.json

composer.json

 
 

composer.lock

composer.lock

 
 

package-lock.json

package-lock.json

 
 

package.json

package.json

 
 

phpunit.xml

phpunit.xml

 
 

screenshot.png

screenshot.png

 
 

tailwind.config.js

tailwind.config.js

 
 

webpack.mix.js

webpack.mix.js

 
 

Repository files navigation

🔒 Secret

A simple php (lumen) app for sharing sensitive text (basically like onetimesecret), but with full end-to-end AES-256-GCM encryption so even the server has no access to the data, and developed with very simple deployment in mind.

Screenshot

What is it for

I often need to send credentials or sensitive information to clients and colleagues and really prefer not to send these things over email/chat where they remain forever prone to breaches and also attached to a context in email threads (eg, it is clear such data is connected to a site/identity/account).

It is even better to send the URL and the KEY separately through different channels and instruct the user to recombine them in the address bar.

Coming soon: support for binaries/file uploads.

Requirements

Install

  • Clone the repo
  • Copy .env.example to .env
  • Configure APP_URL with the url, APP_KEY with a random string, NEW_ITEM_PASSWORD with a password for the creation of new items. (Highly recommended, see Why set a password).
  • If desired, adjust ALLOWED_TAGS as a comma separated list br,a,img
  • touch database/database.sqlite
  • composer install
  • php artisan migrate

Dev

  • composer install
  • npm i
  • Set URL in webpack.mix.js
  • npx mix watch
  • Build for production with npx mix --production

Why Set a Password?

  • A password is highly recommended. If no password is set, anyone can create secrets
  • There's no rate limiter, so without a password a troll could hammer the endpoint to create secrets
  • There's no CSRF protection, though an irrelevant vector since without a password, anyone can create secrets anyways
  • Sanitization can't be performed server-side since the data is e2e encrypted, a sanitization occurs (as per the ALLOWED_TAGS environment variable) before displaying the secret. An unlikely vector, since it is sanitized before display, but worth mentioning.

Notes

  • Not tested on IE/Edge, but from a look at the Compatibility table the requirements should be supported
  • Thank you Pichiste for helping debug the nightmare of SubtleCrypto ArrayBuffer <> String conversions.

License

GNU General Public License version 2

About

A simple php (lumen) app for sharing sensitive text (basically like onetimesecret), but with full end-to-end AES-256-GCM encryption so even the server has no access to the data, and developed with very simple deployment in mind.

Resources

Readme

License

GPL-2.0 license
Activity

Stars

51 stars

Watchers

4 watching

Forks

4 forks
Report repository

Releases

No releases published

Packages

No packages published

Languages