README

Secure Markdown Pastebin

Markdown

Pastes should be written in a Markdown format following the CommonMark specification with some additions from GitHub Flavored Markdown.

Parsers

Markdown is rendered on the server or the client, depending on whether encryption has been used or not.

• Server side: redcarpet
• Client side: markdown-it

Rendering options:

• Filter HTML
• Nofollow on links

Extensions:

• Fenced code blocks
• Autolink

Syntax highlighting

Paste can contain fenced code blocks with an optional language name:

module HelloWorld
  def print_hello
    puts "Hello, World!"
  end
end

Syntax highlighting is done in the browser with highlight.js

Cryptography

Pastes can be encrypted in the browser with a passphrase before being sent to the server. The passphrase can be chosen by the user or randomly generated, in any case it is never communicated to the server.

Client side cryptography is provided by libsodium.js.

Random data generation

• Source: Web Cryptography API

Secret-key authenticated encryption

• Encryption: Salsa20
• Authentication: Poly1305

Key derivation

• Function: Scrypt
• Parameters:
  • memlimit: 16 MB
  • opslimit: memlimit / 32

Limits

• No more than 100 KB per paste
• No more than n + 1 pastes per IP address in 10^n seconds for n in [0..3]

License

Copyright (c) 2017-2018 Vincent Ollivier. Released under MIT.