Built a Pastebin alternative that implements client-side encryption to minimize server-side trust. The server never sees plaintext content, files or encryption keys.
Implementation
- Uses Web Crypto API (AES-256-GCM)
- Keys generated with `crypto.getRandomValues()`
- Random IV per operation
- Content chunked into 4KB buckets
- Argon2id for password hashing
- Keys embedded in URL fragments
Architecture
- Laravel backend stores only encrypted blobs
- All crypto handled in JavaScript (client-side)
- No server-side key storage
- Metadata stored separately
Security Considerations
- XSS could compromise client-side crypto
- URL fragments may be logged in some contexts
- No perfect forward secrecy
- Relies entirely on client-side security
Questions
- How can I improve key management?
- Is there a viable way to add forward secrecy?
- Should additional security layers (e.g., CSP, iframe sandboxing) be added?
goldykr•1h ago
Implementation - Uses Web Crypto API (AES-256-GCM) - Keys generated with `crypto.getRandomValues()` - Random IV per operation - Content chunked into 4KB buckets - Argon2id for password hashing - Keys embedded in URL fragments
Architecture - Laravel backend stores only encrypted blobs - All crypto handled in JavaScript (client-side) - No server-side key storage - Metadata stored separately
Security Considerations - XSS could compromise client-side crypto - URL fragments may be logged in some contexts - No perfect forward secrecy - Relies entirely on client-side security
Questions - How can I improve key management? - Is there a viable way to add forward secrecy? - Should additional security layers (e.g., CSP, iframe sandboxing) be added?
****************
URL: https://dailyforever.com/
****************