diff --git a/documentation/api.md b/documentation/api.md index cdd5039..c26f52f 100644 --- a/documentation/api.md +++ b/documentation/api.md @@ -220,10 +220,12 @@ Password protected content | 400 | Password too long (max 1024 chars) | | 400 | Proof-of-work required (when PoW enabled) | | 400 | Proof-of-work failed (invalid/expired challenge) | +| 400 | Paste too small (below minimum size) | | 413 | Paste too large | | 429 | Duplicate content rate limit exceeded | **Size Limits:** +- Minimum: disabled by default (`FLASKPASTE_MIN_SIZE`, e.g. 64 bytes for encryption enforcement) - Anonymous: 3 MiB (configurable via `FLASKPASTE_MAX_ANON`) - Authenticated: 50 MiB (configurable via `FLASKPASTE_MAX_AUTH`) @@ -575,6 +577,50 @@ export FLASKPASTE_MIN_ENTROPY_SIZE=256 # Only check content >= this size (defaul --- +### Binary Content Requirement + +FlaskPaste can require unrecognizable binary content (MIME-based encryption enforcement). + +**How it works:** +- Content is checked for magic bytes (PNG, JPEG, PDF, ZIP, etc.) +- Content is checked for valid UTF-8 text +- Recognized formats are rejected with 400 +- Only application/octet-stream (unrecognizable binary) is allowed + +**Configuration:** +```bash +export FLASKPASTE_REQUIRE_BINARY=1 # Reject recognizable formats (0=disabled) +``` + +**Response (400 Bad Request):** +```json +{ + "error": "Recognizable format not allowed", + "detected": "text/plain", + "hint": "Encrypt content before uploading (-e flag in fpaste)" +} +``` + +**Detected formats:** +- `text/plain` (valid UTF-8 text) +- `image/png`, `image/jpeg`, `image/gif`, `image/webp` +- `application/pdf`, `application/zip`, `application/gzip` + +**vs Entropy enforcement:** +| Method | Detects | False positives | +|--------|---------|-----------------| +| Entropy | Random-looking data | Compressed files pass | +| Binary | No magic bytes + invalid UTF-8 | Minimal | + +Use both together for maximum encryption enforcement: +```bash +export FLASKPASTE_REQUIRE_BINARY=1 +export FLASKPASTE_MIN_ENTROPY=6.0 +export FLASKPASTE_MIN_SIZE=64 +``` + +--- + ## Proof-of-Work FlaskPaste includes an optional proof-of-work system to prevent automated spam.