Skip to content

Security: pszemraj/localpaste.rs

Security

docs/security.md

Security Configuration

Security defaults, exposure policy, and security-relevant environment settings. Storage compatibility lives in storage.md, service operations in deployment.md, runtime-provider toggles in language-detection.md, and build/run commands in dev/devlog.md.

Default Security Settings

LocalPaste.rs is designed for local use and comes with secure defaults:

  • Localhost-only binding: Server binds to 127.0.0.1 by default
  • CORS restrictions: In strict mode, only accepts loopback origins that match the active listener port
  • Security headers: CSP, X-Frame-Options, X-Content-Type-Options
  • Request size limits: Enforced at transport layer (default: 10MB)
  • Storage durability: defined in storage.md
  • Single-writer owner lock: semantics in dev/locking-model.md

Environment Variables

Network Configuration

Variable Default Description
PORT 38411 Listener port used when BIND is unset
BIND 127.0.0.1:38411 Server bind address (non-loopback requires ALLOW_PUBLIC_ACCESS=1)
ALLOW_PUBLIC_ACCESS disabled Enable CORS for all origins and allow non-loopback bind
MAX_PASTE_SIZE 10485760 Max accepted paste size (bytes) for write paths (API and GUI backend)
AUTO_BACKUP disabled Create DB backup on startup when existing DB is present
LOCALPASTE_VERSION_INTERVAL_SECS 300 Minimum seconds between persisted historical snapshots (>= 1)
LOCALPASTE_PASTE_VERSION_INTERVAL_SECS unset Legacy fallback key for LOCALPASTE_VERSION_INTERVAL_SECS

localpaste startup fails fast on malformed BIND/PORT/size/boolean/snapshot-interval env values so invalid deployment configuration is explicit. Reference defaults/examples: .env.example.

Security Headers

The following headers are automatically set:

  • Content-Security-Policy: Restricts resource loading to same-origin
  • X-Content-Type-Options: nosniff: Prevents MIME-type sniffing
  • X-Frame-Options: DENY: Prevents clickjacking

To add a referrer policy, configure your reverse proxy or extend the Axum middleware layer.

Lock Management Policy

Operational recovery is documented in deployment.md. Lock semantics are documented in dev/locking-model.md. DB_PATH single-writer contract is documented in storage.md. Treat uncertain lock ownership as unsafe.

Public Exposure (Not Recommended)

If you need to expose LocalPaste publicly, follow these steps:

Warning

Setting ALLOW_PUBLIC_ACCESS=1 relaxes loopback-only protections. Use it only behind a firewall/reverse proxy you control.

1. Enable Public Binding

Build/run mechanics are documented in deployment.md and dev/devlog.md. This section only defines the security-relevant overrides:

# Bind to all interfaces (requires ALLOW_PUBLIC_ACCESS)
export BIND=0.0.0.0:38411

# Allow cross-origin requests and non-loopback bind
export ALLOW_PUBLIC_ACCESS=1

2. Security Checklist

Before exposing publicly, ensure:

  • Firewall rules configured to limit access
  • Consider adding authentication (not built-in)
  • Use HTTPS proxy (nginx/caddy) for encryption
  • Monitor access logs
  • Regular security updates
  • Backup strategy in place

3. Reverse Proxy Example (nginx)

server {
    listen 443 ssl http2;
    server_name paste.example.com;

    ssl_certificate /path/to/cert.pem;
    ssl_certificate_key /path/to/key.pem;

    # Security headers
    add_header X-Content-Type-Options "nosniff" always;
    add_header X-Frame-Options "DENY" always;

    location / {
        proxy_pass http://127.0.0.1:38411;
        proxy_set_header Host $host;
        proxy_set_header X-Real-IP $remote_addr;
        proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
        proxy_set_header X-Forwarded-Proto $scheme;

        # WebSocket support (if needed)
        proxy_http_version 1.1;
        proxy_set_header Upgrade $http_upgrade;
        proxy_set_header Connection "upgrade";
    }
}

Security Best Practices

  1. Regular Updates: Keep dependencies updated

    cargo update
cargo audit

  2. Monitoring: Watch logs for unusual activity Use the service/logging patterns in deployment.md.

  3. Backups: Regular database backups Use the backup and retention procedures in deployment.md.

  4. Access Control: Use firewall rules

    # Allow only specific IPs (example with ufw)
ufw allow from 192.168.1.0/24 to any port 38411

  5. Keep broad-list payloads bounded by design GET /api/pastes and GET /api/search return metadata rows. Fetch full content with GET /api/paste/:id only for selected records.

Threat Model

LocalPaste is designed for trusted local environments. The main security considerations:

What's Protected

  • Prevents unauthorized remote access (localhost binding)
  • Prevents XSS attacks (CSP headers, input sanitization)
  • Prevents large payload DoS (size limits)
  • Prevents clickjacking (X-Frame-Options)

What's Not Protected

  • No built-in authentication/authorization
  • No encryption at rest (use disk encryption)
  • No rate limiting (add reverse proxy if needed)
  • No audit logging (basic access logs only)

Reporting Security Issues

If you discover a security vulnerability, please:

  1. Do not create a public GitHub issue
  2. Email details to the maintainer
  3. Allow time for a fix before disclosure

Compliance Notes

LocalPaste stores all data locally and does not:

  • Transmit data to external services
  • Include analytics or tracking
  • Store personal information beyond paste content
  • Use cookies or local storage for tracking

This makes it suitable for environments with strict data residency requirements.

There aren’t any published security advisories