FlashPaper

FlashPaper is a lightweight, zero‑knowledge pastebin designed for developers who require secure, one‑time secrets without the overhead of a traditional database or complex deployment. At its core, it encrypts user payloads end‑to‑end: the client never sees plaintext after submission, and the server stores only encrypted blobs along with a bcrypt‑protected identifier. This guarantees that even if the database is compromised, secrets remain unintelligible without the one‑time key embedded in the URL.

• Language & Runtime: PHP 7.0+ running under any WSGI‑compatible web server (Apache, Nginx, etc.). The codebase is procedural with minimal dependencies, making it trivial to audit and integrate into existing PHP stacks.
• Persistence: A single SQLite file (<random>--secrets.sqlite) holds all metadata. No external DBMS is required, simplifying deployment and reducing attack surface.
• Encryption Flow:
  • A random 256‑bit AES key and IV are generated per secret.
  • The plaintext is first encrypted with this key (AES‑256‑CBC), then re‑encrypted with a static 256‑bit AES key stored on disk (<random>--aes-static.key).
  • The concatenation of secret ID and AES key (k) is bcrypt‑hashed to prevent tampering.
• Containerization: The Docker image (ghcr.io/andrewpaglusch/flashpaper) bundles PHP, SQLite, and the static key, exposing a single port. Docker‑Compose is provided for quick spin‑up, and the image supports multi‑arch builds.

• One‑Time Secret Generation: Exposes a simple HTTP POST endpoint that accepts raw text and returns a JSON payload with the one‑time URL.
• Secure Retrieval: A GET request to the provided URL triggers decryption and automatic deletion, ensuring secrets are destroyed after first access.
• API Friendly: No authentication layer is required; the one‑time key itself acts as a bearer token, making it suitable for integration into CI/CD pipelines or internal tooling.
• Prune Mechanism: Randomized expiration dates (min_days/max_days) are stored per secret, allowing a background cron job to clean stale entries without affecting active secrets.

• Self‑Hosting: A single static file (settings.php) configures the application; no database migrations or schema setup are needed.
• Scalability: While SQLite limits concurrent writes, the low write volume typical of pastebin use cases keeps contention minimal. For higher throughput, developers can swap SQLite for PostgreSQL with minor code changes (the data model is simple).
• Reverse Proxy: The README recommends terminating TLS upstream, which keeps FlashPaper stateless and simplifies certificate management.
• Container Support: The official Docker image is built for multiple CPU architectures (x86_64, arm64). Deploying on Kubernetes or ECS is straightforward using the provided docker-compose.yml as a reference.

• Webhooks: Although not built‑in, the lightweight architecture allows developers to hook into request/response cycles by wrapping FlashPaper in a microservice layer that emits events on secret creation or retrieval.
• Plugin System: No formal plugin API exists, but the procedural code can be extended by including additional PHP files in settings.php or wrapping FlashPaper with middleware.
• Customization: Themes and templates are pure HTML/CSS files; swapping them is as simple as replacing assets in the public/ directory. This makes it trivial to brand FlashPaper for internal portals.

• Documentation: The README covers all necessary steps, from Docker to traditional PHP deployment. Inline comments in the source explain cryptographic choices.
• Community & Licensing: Released under an MIT‑style license, FlashPaper encourages contributions. The active GitHub repo hosts issue trackers and CI workflows that validate every release.
• Configuration Options: settings.php exposes parameters such as min_days, max_days, and file paths, enabling fine‑grained control over expiration policies without code changes.

• CI/CD Secrets: Generate temporary tokens or one‑time passwords during pipeline runs and expose them to developers via the API.
• Internal Documentation: Share credentials or snippets that must be destroyed after first use, preventing accidental leakage.
• Bug‑Tracking: Provide secure links to logs or stack traces that self‑expire, ensuring privacy compliance.
• Education & Demo: Demonstrate secure data handling in workshops without needing a full database setup.

• Zero‑Knowledge: Encryption is performed entirely on the server; no plaintext persists beyond the request.
• Minimal Footprint: No database servers, minimal dependencies, and a single Docker image simplify operations.
• High Performance: AES‑256‑CBC is fast; SQLite handles the light write load efficiently.
• Licensing Freedom: MIT‑style license removes vendor lock‑in, allowing internal modification or redistribution.
• Developer‑Centric: Simple API, clear configuration, and open source code make it a drop‑in component for any PHP‑based infrastructure.