PastePortal Logo
PastePortal

Security

Comprehensive security practices and protections

Security is a top priority at PastePortal. We implement multiple layers of protection to ensure your data remains safe and private. This page outlines our security practices, recent improvements, and how to report security vulnerabilities.

Core Security Features

Strong Encryption

All paste content is encrypted using AES-256-GCM before storing in the database. This industry-standard encryption ensures your data remains secure even if database access is compromised.

  • AES-256-GCM provides authenticated encryption with associated data
  • Encryption keys are stored securely in environment variables, never exposed to clients
  • Each encrypted paste uses a unique initialization vector (IV) for maximum security

Password-Protected Pastes

Enhanced password encryption with unique random salts per encryption. Each password-protected paste uses a cryptographically secure random salt, preventing rainbow table attacks.

  • PBKDF2 key derivation with 100,000 iterations
  • Unique random salt for each encryption operation
  • Backward compatible with existing encrypted pastes
  • Client-side encryption ensures your password never leaves your device

Database Security

Row Level Security (RLS) policies enforce access controls at the database level, ensuring users can only access their own data.

  • RLS policies prevent unauthorized data access
  • User ID verification prevents user_id spoofing attacks
  • Password fields are excluded from public API responses
  • Authentication checks validate user identity before allowing operations

Input Validation & Sanitization

Comprehensive input validation prevents injection attacks and ensures data integrity.

  • Paste ID format validation (UUID v4 or legacy hex)
  • Paste size limits (400KB maximum) prevent resource exhaustion
  • Password validation enforces security requirements
  • Error messages are sanitized to prevent information disclosure

🔒Recent Security Improvements

Content Security Policy (CSP)

Implemented strict CSP headers to prevent XSS attacks and code injection. The policy restricts resource loading to trusted sources only.

  • Script sources restricted to self and trusted domains
  • Style sources limited to necessary origins
  • Upgrade insecure requests forces HTTPS
  • Frame ancestors blocked to prevent clickjacking

CSRF Protection

Added comprehensive CSRF (Cross-Site Request Forgery) protection for all state-changing operations.

  • Origin header validation for all authenticated requests
  • CSRF token validation using double-submit cookie pattern
  • Protection for POST, DELETE, and other state-changing operations
  • Maintains backward compatibility with API clients

HSTS (HTTP Strict Transport Security)

Enforced HTTPS-only connections with HSTS headers to prevent protocol downgrade attacks.

  • 1-year HSTS enforcement with subdomain coverage
  • Preload list eligibility for maximum security
  • Prevents man-in-the-middle attacks via HTTP

Error Message Sanitization

Implemented production-safe error handling that prevents information disclosure.

  • Generic error messages returned to clients in production
  • Detailed errors logged server-side only for debugging
  • Prevents leakage of internal application structure

Response Data Minimization

Removed unnecessary data from API responses to minimize exposure risks.

  • Paste content no longer returned in store-paste responses
  • Only essential metadata (ID, timestamp) returned
  • Reduces risk of interception or logging sensitive data

🛡️Security Headers

We implement comprehensive security headers to protect against various attack vectors:

X-Frame-Options

DENY - Prevents clickjacking attacks

X-XSS-Protection

1; mode=block - Enables XSS filtering

X-Content-Type-Options

nosniff - Prevents MIME type sniffing

Referrer-Policy

strict-origin-when-cross-origin - Controls referrer information

Strict-Transport-Security

Enforces HTTPS-only connections

Content-Security-Policy

Strict policy to prevent XSS and injection

💡Security Best Practices for Users

For Password-Protected Pastes:

  • Use strong, unique passwords (8-30 characters, no spaces)
  • Share passwords through secure channels
  • Remember: we cannot recover passwords if lost

For Account Security:

  • Keep your account credentials secure
  • Use strong, unique passwords for your account
  • Enable two-factor authentication if available
  • Regularly review your pastes and delete unused ones

For Sharing Pastes:

  • Be mindful of what content you share publicly
  • Use password protection for sensitive information
  • Remember: public pastes can be accessed by anyone with the link

🚨Reporting Security Vulnerabilities

We take security seriously and appreciate your help in keeping PastePortal secure. If you discover a security vulnerability, please report it responsibly.

How to Report:

  1. Create a GitHub Issue on our repository at github.com/stiliajohny/pasteportal/issues
  2. Use the "Security" label when creating the issue
  3. Provide a "clear description" of the vulnerability
  4. Include "steps to reproduce" if possible
  5. Do not publicly disclose the vulnerability until it's been addressed

Important: Please allow us reasonable time to address the vulnerability before public disclosure. We appreciate responsible disclosure practices.

We will acknowledge your report and work to address it as quickly as possible. Thank you for helping keep PastePortal secure!

Security Standards & Compliance

Our security practices align with industry standards and best practices:

  • OWASP Top 10 - Protection against common web vulnerabilities
  • NIST Guidelines - Following encryption and key management best practices
  • HTTPS Everywhere - All connections encrypted with TLS
  • Defense in Depth - Multiple layers of security controls

Last updated: 11/4/2025

Security is an ongoing process. We continuously improve our security measures to protect your data.