PROXY-001: Add startup warning when TRUSTED_PROXY_SECRET empty in production
- validate_security_config() checks for missing proxy secret
- Additional warning when PKI enabled without proxy secret
- Tests for security configuration validation
BURN-001: HEAD requests now trigger burn-after-read deletion
- Prevents attacker from probing paste existence before retrieval
- Updated test to verify new behavior
RATE-001: Add RATE_LIMIT_MAX_ENTRIES to cap memory usage
- Default 10000 unique IPs tracked
- Prunes oldest entries when limit exceeded
- Protects against memory exhaustion DoS
Test count: 284 -> 291 (7 new security tests)
- replace deprecated FLASK_ENV with FLASK_DEBUG
- remove duplicate FLASKPASTE_MAX_EXPIRY entry
- update API version to 1.5.0
- add missing /pastes and /pki endpoints to table
- remove deprecated X-XSS-Protection header
- add PKI config variables
- update features list with current capabilities
- update auth benefits and security sections
Public endpoint allows anyone to obtain a client certificate for
authentication. Features:
- Higher PoW difficulty than paste creation (24 vs 20 bits)
- Auto-generates CA on first registration if not present
- Returns PKCS#12 bundle with cert, key, and CA
- Configurable via FLASKPASTE_REGISTER_POW
Endpoints:
- GET /register/challenge - Get registration PoW challenge
- POST /register - Register and receive PKCS#12 bundle
- Add anti-flood, rate limiting, scheduled cleanup to feature lists
- Update version to 1.4.0, test count to 205
- Document /pastes endpoint with query parameters
- Add anti-flood fields to /challenge response
- Update CLI docs with new commands (list, search, export)
- Add decision log entries for recent features
Update README.md, api.md, and error hints to reflect:
- encryption is now default (no -e flag needed)
- use -E/--no-encrypt to disable
- file path shortcut (fpaste file.txt)
