Skip to content

Home

Jump to bottom
Joy G. Majumdar edited this page Jun 10, 2026 · 1 revision

Welcome to the BurnLink Wiki. This documentation covers installation, usage, security architecture, and development of BurnLink - an open source file sharing service with end-to-end encryption.

Table of Contents

  1. Overview
  2. Getting Started
  3. Features
  4. Installation
  5. Configuration
  6. Usage
  7. Security Architecture
  8. API Reference
  9. Deployment
  10. Contributing
  11. FAQ
  12. Support

Overview

BurnLink is an open source file sharing service that provides client-side encryption, zero-knowledge architecture, and automatic file deletion. Unlike traditional file sharing services, BurnLink ensures that files are encrypted before they leave your device and the server cannot access file contents.

Core Principles:

  • Client-side encryption ensures files never exist unencrypted on servers
  • Zero-knowledge architecture means even administrators cannot access file contents
  • No account requirements allow immediate sharing without registration
  • Automatic file deletion ensures data cleanup
  • Fully open source code enables community audit and self-hosting

Getting Started

Quick Start

  1. Visit https://burnlink.page
  2. Select files to share
  3. Optional: Add password protection
  4. Click Share and send the link to recipient
  5. Recipient downloads file
  6. File automatically deletes after first access

For Self-Hosting

  1. Clone the repository: git clone https://github.com/Joy-Majumder/BurnLink.git
  2. Install dependencies: npm install
  3. Configure environment variables (see Configuration section)
  4. Start the server: npm start
  5. Access at http://localhost:3000

Features

File Sharing

  • No account required for basic sharing
  • Single-use links that delete after first access
  • Support for multiple file uploads in one share session
  • Optional password protection for additional security
  • Custom expiration times from 15 minutes to 15 days
  • View-once mode limiting access window to 60 seconds
  • Batch file operations

Security and Privacy

  • Client-side AES-256-GCM encryption
  • Zero-knowledge server architecture
  • One-time access tokens
  • Brute-force protection with automatic lockout
  • CSRF protection
  • No analytics or tracking
  • No user profiling
  • No third-party data sharing

Technical Features

  • Support for files up to 1GB
  • Direct browser-to-storage uploads
  • Multiple access control modes
  • Rate limiting per endpoint
  • Fast transfer speeds
  • Mobile-responsive interface
  • HTTPS enforced
  • Docker containerization support

Installation

Prerequisites

  • Node.js 14.0 or higher
  • npm 6.0 or higher
  • PostgreSQL 12 or higher (or use Supabase)
  • Docker (optional, for containerized deployment)

Local Installation

Clone the repository:

git clone https://github.com/Joy-Majumder/BurnLink.git
cd BurnLink

Install dependencies:

npm install

Run migrations:

npm run migrate

Start the development server:

npm run dev

The application will be available at http://localhost:3000

Docker Installation

Build the image:

docker build -t burnlink .

Run the container:

docker run -p 3000:3000 --env-file .env burnlink

Configuration

Configuration is managed through environment variables. Create a .env file in the project root:

NODE_ENV=production
PORT=3000

DATABASE_URL=postgresql://user:password@host:port/database
DATABASE_POOL_MIN=2
DATABASE_POOL_MAX=20

SUPABASE_URL=https://your-project.supabase.co
SUPABASE_KEY=your-anon-key
SUPABASE_SERVICE_KEY=your-service-key

R2_ACCOUNT_ID=your-account-id
R2_ACCESS_KEY_ID=your-access-key
R2_SECRET_ACCESS_KEY=your-secret-key
R2_BUCKET_NAME=burnlink

ENCRYPTION_ALGORITHM=aes-256-gcm
ENCRYPTION_IV_LENGTH=16

SESSION_SECRET=your-secure-random-string
CSRF_TOKEN_LENGTH=32

RATE_LIMIT_WINDOW_MS=900000
RATE_LIMIT_MAX_REQUESTS=100

MAX_FILE_SIZE=1073741824
MAX_FILES_PER_UPLOAD=10

FILE_EXPIRATION_DEFAULT_DAYS=15
FILE_EXPIRATION_MAX_DAYS=30

LOG_LEVEL=info
DEBUG=false

Environment Variable Descriptions

NODE_ENV: Set to 'production' for live deployment PORT: Server port, default 3000 DATABASE_URL: PostgreSQL connection string SUPABASE_URL and SUPABASE_KEY: Supabase project credentials R2_: Cloudflare R2 storage credentials ENCRYPTION_ALGORITHM: Encryption method, default aes-256-gcm SESSION_SECRET: Secret key for session management RATE_LIMIT_: Request rate limiting configuration MAX_FILE_SIZE: Maximum individual file size in bytes FILE_EXPIRATION_*: File retention policy in days

Usage

Uploading Files

  1. Navigate to https://burnlink.page
  2. Click the upload area or browse files
  3. Select one or more files
  4. Optional: Set password, custom expiration, or view-once mode
  5. Click Generate Link
  6. Share the generated link with recipients
  7. Recipient receives and decrypts file in their browser

Receiving Files

  1. Open the shared link from email or message
  2. Optional: Enter password if required
  3. Click Download
  4. Browser decrypts file locally
  5. File automatically saves to downloads
  6. Link becomes invalid after first use

API Usage

Upload files via API:

POST /api/upload
Content-Type: multipart/form-data

Parameters:
- files: File(s) to upload
- password: Optional password
- expiresIn: Optional expiration in hours
- viewOnceMode: Optional boolean for view-once access

Retrieve file metadata:

GET /api/file/:id

Response:
{
  id: string,
  created: datetime,
  expires: datetime,
  isDownloaded: boolean,
  accessCount: integer
}

Security Architecture

Encryption Flow

  1. User selects files in browser
  2. Browser generates random encryption key
  3. Each file encrypted locally using AES-256-GCM
  4. Encrypted files uploaded to server with secure token
  5. Encryption key transmitted separately via URL fragment
  6. Server stores only encrypted data
  7. Recipient downloads encrypted file
  8. Browser decrypts using key from URL fragment

Key Management

  • Encryption keys never sent to server
  • Keys transmitted only in URL fragment
  • Fragment not sent in HTTP headers
  • Each share session has unique encryption key
  • Keys not logged or stored

Access Control

  • One-time tokens invalidated after use
  • Brute-force protection blocks IPs after 5 failed attempts
  • Rate limiting prevents abuse
  • Session tokens expire after 24 hours
  • CSRF tokens required for state-changing operations

Data Protection

  • Files stored encrypted at rest
  • HTTPS enforced for all connections
  • Database credentials stored in environment variables
  • API keys never exposed in client code
  • Sensitive logs never written to files

API Reference

Upload Endpoint

POST /api/upload

Request:

Content-Type: multipart/form-data

{
  files: [File, ...],
  password: "optional-password",
  expiresIn: 24,
  viewOnceMode: false
}

Response (200):

{
  id: "abc123def456",
  link: "https://burnlink.page/s/abc123def456#key=xyz789",
  expiresAt: "2026-06-12T10:00:00Z",
  fileCount: 2,
  accessToken: "token_xyz789"
}

File Metadata Endpoint

GET /api/file/:id

Response (200):

{
  id: "abc123def456",
  fileName: "document.pdf",
  fileSize: 2097152,
  mimeType: "application/pdf",
  created: "2026-06-11T10:00:00Z",
  expiresAt: "2026-06-12T10:00:00Z",
  isDownloaded: false,
  accessCount: 0,
  requiresPassword: false
}

Download Endpoint

GET /s/:id

Query Parameters:

  • password: Required if password protection enabled

Response: File download with decryption key

Delete Endpoint

DELETE /api/file/:id

Response (200):

{
  success: true,
  message: "File deleted successfully"
}

Deployment

Netlify Deployment

  1. Connect GitHub repository to Netlify
  2. Set build command: npm run build
  3. Set publish directory: dist
  4. Add environment variables in Netlify dashboard
  5. Deploy on push to main branch

Docker Deployment

Build and push image:

docker build -t your-registry/burnlink:latest .
docker push your-registry/burnlink:latest

Deploy container:

docker run -d \
  --name burnlink \
  -p 3000:3000 \
  --env-file .env \
  your-registry/burnlink:latest

Traditional Server Deployment

  1. SSH into server
  2. Clone repository
  3. Install Node.js and dependencies
  4. Create systemd service file
  5. Configure nginx reverse proxy
  6. Enable SSL with Let's Encrypt
  7. Start service: systemctl start burnlink

Environment-Specific Configuration

Development:

NODE_ENV=development
DEBUG=true
DATABASE_URL=postgresql://localhost/burnlink_dev

Production:

NODE_ENV=production
DEBUG=false
DATABASE_URL=[production-database-url]
RATE_LIMIT_MAX_REQUESTS=50

Contributing

Setup Development Environment

  1. Fork the repository
  2. Clone your fork
  3. Create feature branch: git checkout -b feature/description
  4. Install dependencies: npm install
  5. Start development server: npm run dev
  6. Make changes and test locally

Code Standards

  • Follow existing code style and formatting
  • Write meaningful commit messages
  • Include tests for new features
  • Update documentation for changes
  • Keep commits focused and atomic

Submitting Changes

  1. Push to your fork
  2. Create Pull Request with clear description
  3. Reference related issues
  4. Wait for review and CI checks
  5. Respond to feedback
  6. Merge when approved

Reporting Issues

  • Check existing issues before reporting
  • Provide clear problem description
  • Include steps to reproduce
  • Specify environment details
  • Attach relevant logs or screenshots

FAQ

How is my data protected?

Files are encrypted in your browser before leaving your device. The encryption happens client-side using AES-256-GCM, and the server only ever sees encrypted data. Encryption keys are never transmitted to the server.

Can I recover a deleted file?

No. Files are permanently deleted after download or expiration. There are no backups. This is by design to ensure privacy and data cleanup.

How long are files stored?

Files are stored for a maximum of 15 days by default, configurable up to 30 days. Files are automatically deleted after first download or when expiration time is reached.

Is password protection secure?

Passwords protect the download link but are not part of the encryption. The encryption is handled by the client-side key. Passwords should be transmitted separately from the share link for maximum security.

Can I host BurnLink myself?

Yes. The entire codebase is open source under the MIT license. You can self-host by following the installation instructions. You can use your own infrastructure and database.

What about GDPR compliance?

BurnLink does not collect personally identifiable information. No accounts are required. No tracking or analytics. No third-party data sharing. All data is encrypted and temporary.

How do I report security vulnerabilities?

Please report security issues responsibly by emailing security@burnlink.page or creating a private security advisory on GitHub. Do not publicly disclose vulnerabilities.

Can files be traced or recovered by authorities?

BurnLink cannot assist with file recovery as files are permanently deleted. We maintain no logs of file contents or user information. Legal requests should go through appropriate channels.

Support

Getting Help

  • Check the FAQ section above
  • Search existing GitHub issues
  • Review SECURITY.md for security questions
  • Read SELFHOST.md for self-hosting questions

Reporting Bugs

  1. Check if issue already exists
  2. Create new issue with clear title
  3. Describe expected vs actual behavior
  4. Include steps to reproduce
  5. Provide environment details

Feature Requests

  1. Check existing feature requests
  2. Clearly describe the feature
  3. Explain use case and benefits
  4. Discuss implementation approach if applicable

Contact

Resources

Last Updated: June 2026 Version: 1.2.0

Clone this wiki locally