claw/flaskpaste
1
0
Fork 1
forked from username/flaskpaste
Code Pull Requests Activity
Files
main
flaskpaste/examples/flaskpaste.env
Username 89eee3378a security: implement pentest remediation (PROXY-001, BURN-001, RATE-001) 
PROXY-001: Add startup warning when TRUSTED_PROXY_SECRET empty in production
- validate_security_config() checks for missing proxy secret
- Additional warning when PKI enabled without proxy secret
- Tests for security configuration validation

BURN-001: HEAD requests now trigger burn-after-read deletion
- Prevents attacker from probing paste existence before retrieval
- Updated test to verify new behavior

RATE-001: Add RATE_LIMIT_MAX_ENTRIES to cap memory usage
- Default 10000 unique IPs tracked
- Prunes oldest entries when limit exceeded
- Protects against memory exhaustion DoS

Test count: 284 -> 291 (7 new security tests)
2025-12-24 21:42:15 +01:00

50 lines
1.2 KiB
Bash
Raw Permalink Blame History

# FlaskPaste environment configuration
# Install: sudo mkdir -p /etc/flaskpaste && sudo cp flaskpaste.env /etc/flaskpaste/env
# Permissions: sudo chmod 600 /etc/flaskpaste/env
# Flask environment
FLASK_ENV=production
# Database path
FLASKPASTE_DB=/opt/flaskpaste/data/pastes.db
# Paste limits
FLASKPASTE_MAX_ANON=3145728
FLASKPASTE_MAX_AUTH=52428800
# Expiry (tiered by authentication level)
FLASKPASTE_EXPIRY_ANON=86400
FLASKPASTE_EXPIRY_UNTRUSTED=604800
FLASKPASTE_EXPIRY_TRUSTED=2592000
# Proof-of-work (set to 0 to disable)
FLASKPASTE_POW_DIFFICULTY=20
FLASKPASTE_POW_TTL=300
# Anti-flood
FLASKPASTE_ANTIFLOOD=1
FLASKPASTE_ANTIFLOOD_THRESHOLD=5
FLASKPASTE_ANTIFLOOD_MAX=28
# Rate limiting
FLASKPASTE_RATE_LIMIT=1
FLASKPASTE_RATE_WINDOW=60
FLASKPASTE_RATE_MAX=10
FLASKPASTE_RATE_AUTH_MULT=5
FLASKPASTE_RATE_MAX_ENTRIES=10000
# Content deduplication
FLASKPASTE_DEDUP_WINDOW=3600
FLASKPASTE_DEDUP_MAX=3
# URL prefix (for reverse proxy path-based routing)
# FLASKPASTE_URL_PREFIX=/paste
# Proxy trust (set shared secret for header validation)
# FLASKPASTE_PROXY_SECRET=your-secret-here
# PKI (uncomment to enable certificate authority)
# FLASKPASTE_PKI_ENABLED=1
# FLASKPASTE_PKI_CA_PASSWORD=change-this-secure-password
# FLASKPASTE_PKI_CERT_DAYS=365
View Git Blame Copy Permalink