Go to file

Leopere c5c44986d8 Add build script to package.json for Docker build		2025-03-01 18:37:27 -05:00
lib	Add comprehensive security headers support with testing framework	2025-03-01 18:33:46 -05:00
static	Fix button alignment and visibility issues, implement CSP improvements with nonce support	2025-03-01 17:49:24 -05:00
test	Delete test/redis_document_store_spec.js	2023-12-27 16:06:25 +00:00
.eslintignore	Fix eslint	2017-06-26 12:38:17 -04:00
.eslintrc.json	Added eslint and fixed an issue from #158	2017-06-26 12:19:36 -04:00
.gitignore	Update TODO	2011-11-22 16:51:35 -05:00
Dockerfile	Fix Docker build issues by updating Node version and addressing npm installation errors	2025-03-01 18:36:47 -05:00
LICENSE.md	Add LICENSE.md	2024-01-19 18:38:52 +00:00
Procfile	Procfile	2012-09-27 11:38:14 -04:00
README.md	Add comprehensive security headers support with testing framework	2025-03-01 18:33:46 -05:00
about.md	Update about.md	2024-01-19 18:15:36 +00:00
app.sh	Fix Docker build issues by updating Node version and addressing npm installation errors	2025-03-01 18:36:47 -05:00
config.js	Add comprehensive security headers support with testing framework	2025-03-01 18:33:46 -05:00
docker-compose.yml	Fix Docker build issues by updating Node version and addressing npm installation errors	2025-03-01 18:36:47 -05:00
package-lock.json	Fix button alignment and visibility issues, implement CSP improvements with nonce support	2025-03-01 17:49:24 -05:00
package.json	Add build script to package.json for Docker build	2025-03-01 18:37:27 -05:00
server.js	Add comprehensive security headers support with testing framework	2025-03-01 18:33:46 -05:00
test-local.js	Fix button alignment and visibility issues, implement CSP improvements with nonce support	2025-03-01 17:49:24 -05:00
test-security.js	Add comprehensive security headers support with testing framework	2025-03-01 18:33:46 -05:00
test-security.sh	Add comprehensive security headers support with testing framework	2025-03-01 18:33:46 -05:00
update-js.js	Fix button alignment and visibility issues, implement CSP improvements with nonce support	2025-03-01 17:49:24 -05:00

README.md

Haste

Haste is an open-source pastebin software written in node.js, which is easily installable in any network. It can be backed by either redis or filesystem, and has a very easy adapter interface for other stores. A publicly available version can be found at haste.nixc.us

Major design objectives:

Be really pretty
Be really simple
Be easy to set up and use

UI Testing

*planned browser specific testing to ensure that regressions to the UI don't happen unnoticed.

TODO: add 3 main desktop browsers.
TODO: add 2 main mobile browsers.
TODO: test a go binary that can stream text to hastebin.

Installation

TODO: update instructions for running with docker compose up -d possibly do an asciinema screen recording for this.

The container exists at git.nixc.us/colin/haste:haste-production and may be made public eventually.

Settings

host - the host the server runs on (default localhost)
port - the port the server runs on (default 7777)
keyLength - the length of the keys to user (default 10)
maxLength - maximum length of a paste (default none)
staticMaxAge - max age for static assets (86400)
recompressStaticAssets - whether or not to compile static js assets (true)
documents - static documents to serve (ex: http://hastebin.com/about.com) in addition to static assets. These will never expire.
storage - storage options (see below)
logging - logging preferences
keyGenerator - key generator options (see below)
rateLimits - settings for rate limiting (see below)
security - settings for Content Security Policy and other security features (see below)

Rate Limiting

When present, the rateLimits option enables built-in rate limiting courtesy of connect-ratelimit. Any of the options supported by that library can be used and set in config.json.

See the README for connect-ratelimit for more information!

Security Settings

The security section in the configuration allows you to control various security features, particularly the Content Security Policy (CSP):

{
  "security": {
    "csp": true,                  // Enable/disable CSP entirely
    "hsts": false,                // Enable HTTP Strict Transport Security
    "scriptSources": [],          // Additional allowed script sources
    "bypassCSPInDev": false,      // Use permissive CSP in development mode
    "allowUnsafeHashes": true,    // Allow 'unsafe-hashes' in production for event handlers
    "enableCrossOriginIsolation": false // Enable strict Cross-Origin isolation headers
  }
}

Content Security Policy Options

csp - Enable or disable Content Security Policy headers (default: true)
hsts - Enable HTTP Strict Transport Security headers (default: false)
scriptSources - Additional script sources to allow - comma-separated list in env vars
bypassCSPInDev - In development mode (NODE_ENV=development), use a more permissive CSP that includes 'unsafe-inline' (default: false)
allowUnsafeHashes - Allow 'unsafe-hashes' in production mode for DOM event handlers (default: true)
enableCrossOriginIsolation - Enable strict Cross-Origin isolation headers (COEP, COOP, CORP) which enhance security but may break certain integrations (default: false)

Environment Variables for Security Settings

You can set these options through environment variables:

HASTEBIN_ENABLE_CSP - Enable/disable CSP (true/false)
HASTEBIN_ENABLE_HSTS - Enable/disable HSTS (true/false)
HASTEBIN_SCRIPT_SOURCES - Additional script sources (comma-separated)
HASTEBIN_BYPASS_CSP_IN_DEV - Allow unsafe-inline in development (true/false)
HASTEBIN_ALLOW_UNSAFE_HASHES - Allow unsafe-hashes in production (true/false)
HASTEBIN_ENABLE_CROSS_ORIGIN_ISOLATION - Enable Cross-Origin isolation headers (true/false)

CSP Implementation Details

The Content Security Policy implementation in Hastebin uses nonces to secure inline scripts while maintaining functionality:

Nonces: A unique cryptographic nonce is generated for each request and applied to all script tags
Development Mode: When running with NODE_ENV=development, you can bypass strict CSP checks using the bypassCSPInDev option
Production Mode: In production, the CSP is configured to use nonces for all scripts, with optional 'unsafe-hashes' for event handlers
Templates: The template system automatically injects nonces into script tags, so you don't need to manually add them to the HTML

Additional Security Headers

Besides CSP, Hastebin implements several other security headers:

X-Content-Type-Options: nosniff - Prevents MIME-type sniffing
X-Frame-Options: DENY - Prevents clickjacking attacks
X-XSS-Protection: 1; mode=block - An additional layer of XSS protection
Referrer-Policy: strict-origin-when-cross-origin - Controls referrer information
Permissions-Policy: Restricts browser features (camera, microphone, geolocation, etc.)
Cross-Origin-Embedder-Policy: require-corp - Enhances cross-origin isolation
Cross-Origin-Resource-Policy: same-origin - Protects resources from unauthorized requests
Cross-Origin-Opener-Policy: same-origin - Helps with cross-origin isolation
Strict-Transport-Security: max-age=31536000; includeSubDomains; preload - Ensures HTTPS usage (when enabled)

Running in Development Mode

To run Hastebin with a more permissive CSP for development:

NODE_ENV=development HASTEBIN_BYPASS_CSP_IN_DEV=true node server.js

Running in Production Mode

For production with strict CSP:

NODE_ENV=production node server.js

The CSP implementation ensures that:

All script sources are properly controlled
Inline scripts are secured with nonces
DOM events are properly handled with 'unsafe-hashes' when necessary
HSTS can be enabled for HTTPS environments

Key Generation

Phonetic

Attempts to generate phonetic keys, similar to pwgen

{
  "type": "phonetic"
}

Random

Generates a random key

{
  "type": "random",
  "keyspace": "abcdef"
}

The optional keySpace argument is a string of acceptable characters for the key.

Storage

File

To use file storage (the default) change the storage section in config.js to something like:

{
  "path": "./data",
  "type": "file"
}

where path represents where you want the files stored.

File storage currently does not support paste expiration, you can follow #191 for status updates.

Redis

To use redis storage you must install the redis package in npm, and have redis-server running on the machine.

npm install redis

Once you've done that, your config section should look like:

{
  "type": "redis",
  "host": "localhost",
  "port": 6379,
  "db": 2
}

You can also set an expire option to the number of seconds to expire keys in. This is off by default, but will constantly kick back expirations on each view or post.

All of which are optional except type with very logical default values.

If your Redis server is configured for password authentification, use the password field.

Postgres

To use postgres storage you must install the pg package in npm

npm install pg

Once you've done that, your config section should look like:

{
  "type": "postgres",
  "connectionUrl": "postgres://user:password@host:5432/database"
}

You can also just set the environment variable for DATABASE_URL to your database connection url.

You will have to manually add a table to your postgres database:

create table entries (id serial primary key, key varchar(255) not null, value text not null, expiration int, unique(key));

You can also set an expire option to the number of seconds to expire keys in. This is off by default, but will constantly kick back expirations on each view or post.

All of which are optional except type with very logical default values.

Memcached

To use memcache storage you must install the memcached package via npm

npm install memcached

Once you've done that, your config section should look like:

{
  "type": "memcached",
  "host": "127.0.0.1",
  "port": 11211
}

You can also set an expire option to the number of seconds to expire keys in. This behaves just like the redis expirations, but does not push expirations forward on GETs.

All of which are optional except type with very logical default values.

RethinkDB

To use the RethinkDB storage system, you must install the rethinkdbdash package via npm

npm install rethinkdbdash

Once you've done that, your config section should look like this:

{
  "type": "rethinkdb",
  "host": "127.0.0.1",
  "port": 28015,
  "db": "haste"
}

In order for this to work, the database must be pre-created before the script is ran. Also, you must create an uploads table, which will store all the data for uploads.

You can optionally add the user and password properties to use a user system.

Haste

...

Author

John Crepezzi [original author retired from project]

Colin_ [use the git issues I might add another point of contact at some point.]

License Update

As of the creation of this repository, this software is being "relicensed" under the AGPL (GNU Affero General Public License). The AGPL license applies to all versions of the software released from this point forward.

The previous versions of the software, up until the "relicense" date, remain available under the MIT License and can be found in the original repository on GitHub.

Please note that the AGPL imposes certain obligations that are not present in the MIT License, particularly related to the disclosure of source code when the software is run over a network.

Previous License (MIT)

(The MIT License)

Permission is hereby granted, free of charge, to any person obtaining a copy of this software and associated documentation files (the 'Software'), to deal in the Software without restriction, including without limitation the rights to use, copy, modify, merge, publish, distribute, sublicense, and/or sell copies of the Software, and to permit persons to whom the Software is furnished to do so, subject to the following conditions:

Other components:

jQuery: MIT/GPL license