Sharing HTML prototypes shouldn't require setting up a GitHub repo or a Vercel project. I wanted a "sovereign" way to share files without logins or tracking—so I built TempSite.
🛠 The Concept
TempSite is a zero-configuration, ephemeral hosting tool. You drag and drop a ZIP, get a live URL, and the entire deployment self-destructs in 60 minutes.
🛡 The Security Architecture
Since I’m allowing users to upload and extract ZIP files on my server, security was the biggest challenge. I didn't want to rely on heavy frameworks, so I built the core hardening myself:
- Anti-ZIP Bomb Protection: Before extraction, the backend scans the ZIP to calculate total uncompressed size and file count. If it exceeds my limits (e.g., 50MB or 250 files), it nukes the file immediately to prevent server crashes.
2.XSS & RCE Sandboxing: After extraction, the script dynamically injects an .htaccess file into the site folder. This:
• Enforces a strict Content-Security-Policy (Sandboxing).
• Forces PHP files to render as plain text (preventing server-side execution).
• Blocks path traversal/symlink attacks.
• Zero-Footprint: Once the timer expires, a hard delete occurs—no soft-deletes or leftover logs.
📈 Why I built this
I'm a student currently exploring backend architecture and penetration testing. This project was my way of bridging the gap between "making things work" and "making things secure."
💬 Feedback Needed
I know this isn't enterprise-grade, and I’m sure there are still holes I've missed. I’d love for the community to look at the logic and help me improve.
How would you further harden a PHP-based upload script?
Are there better ways to handle ephemeral cleanup without relying on user-triggered visits?
If you have detailed suggestions, architecture advice, or just want to connect, feel free to drop me an email:
📧 [damnbro6@proton.me]
Thanks for reading!
Top comments (0)