Rolan Lobo

Posted on Dec 16

This message will self-destruct in 5 seconds...

#security #webdev #showdev #productivity

You know that scene in Mission Impossible where Ethan Hunt gets his briefing and then—poof—the tape/phone/hologram bursts into flames?

Yeah, I wanted that. But for files. On the internet. Without the fire hazard. 🔥

So, I built BAR-Web (Burn After Reading) - a file-sharing app where your secrets actually stay secret and then disappear forever. No "oops, I can recover that from the recycle bin." No "let me just use this recovery tool." Just... gone.

The Origin Story (aka "Why Did I Do This?")

It started with a simple problem: I needed to share a password with someone. Email? Nah, that stays in their inbox forever. WhatsApp? Now it's on their cloud backup. Signal? Better, but still... what if they screenshot it?

I wanted something that would:

✅ Self-destruct after being read
✅ Have ACTUAL security (not just vibes)
✅ Give ME control over who sees what, and when
✅ Make me feel like a secret agent

Spoiler: No good free options existed. So I made one. Twice. (First a desktop exe, then this web version because I got addicted to the idea.)

What Does It Actually Do?

Think Snapchat for files, but with actual teeth and bank-level encryption.

Here's the deal:

📤 Upload Anything

PDFs, images, videos, your secret cookie recipe—up to 100MB. No judgment.

🔒 Fort Knox Encryption

AES-256 encryption (the same stuff governments use to protect classified docs). Your files are turned into digital gibberish that would take a supercomputer billions of years to crack. No pressure.

🔑 Zero-Knowledge Security

Here's the cool part: Even I can't read your files. When you password-protect something, the encryption key is derived from your password and NEVER stored anywhere. No password? No file. It's that simple.

(This is the same tech 1Password, Bitwarden, and Signal use. If it's good enough for Edward Snowden, it's good enough for us.)

⏱️ Time Bombs

Set files to expire in:

5 minutes (for the truly paranoid)
24 hours (for the casually paranoid)
Or custom times (for the "I know what I'm doing" folks)

👁️ View Limits

"This file will self-destruct after 1 view."
Or 5 views. Or 100. Your call. Once the limit hits? POOF. File deletes itself. No takebacks.

🚀 Two Ways to Share

Option 1: Download a .bar File
Send someone an encrypted file they can decrypt later. Good for offline sharing or when you don't trust servers (fair).

Option 2: Magic Link
Share a link. We host the encrypted file and enforce the rules. Once it hits the view limit or expires? It's gone forever. We even overwrite it 3 times with random data to make sure nobody's recovering it.

🔔 Webhook Alerts (The Fun Part)

Want to know when someone tries to access your file? Set up a webhook! Get a Discord or Slack notification when:

Someone views your file
Someone enters the wrong password
Someone hits the view limit

I don't know about you, but getting a ping that says "⚠️ Wrong password attempt #3" is oddly satisfying.

🛡️ Brute-Force Protection

Try to guess the password? Cute. Here's what happens:

Wrong password = delays (1s, 2s, 4s, 8s...)
5 wrong attempts? Locked out for 60 minutes.
Try to cheat by re-uploading? Nope. We track that.

Hackers hate this one simple trick. (It's called "making them give up.")

The Tech Stack (For My Fellow Nerds 🤓)

Backend:

FastAPI (because Python is still king for APIs)
Cryptography library (the heavy lifter)
PBKDF2 for key derivation (100,000 iterations, because we're not amateurs)
HMAC-SHA256 for tamper detection

Frontend:

React 18 + Vite (blazing fast dev experience)
Tailwind CSS (looking good without the pain)
Lucide React icons (because they're clean AF)

Hosting:

Frontend on Vercel (because it just works)
Backend on Render Free Tier (warning: it takes 50 seconds to wake up from hibernation, so be patient!)

The Desktop Version (Plot Twist!)

Before I built the web version, I made a Windows desktop app (exe) that's honestly even MORE paranoid. Same core security, but with some extra spicy features:

🚨 Desktop-Only Features:

Panic Button: Someone walking up behind you? Hit the button. Your files? Gone in seconds. Three destruction levels:
- Selective: Just clear session data
- Aggressive: Nuke 98%+ of BAR data
- Scorched Earth: Maximum destruction + anti-forensics (nuclear option)
Deadman Switch: Don't log in for a week? Files auto-delete themselves. Spooky but useful.
Hardware Binding: Lock files to your specific PC. Try to copy them elsewhere? They won't decrypt.
100% Offline: No internet. No cloud. Your files NEVER leave your machine.
Security Levels: Choose your paranoia level:
- Standard: 5 wrong passwords = temp lockout
- High: 4 wrong passwords = 24hr lockouts
- Maximum: 3 wrong passwords = EVERYTHING DELETED ☠️

Why did I make a web version then? Because:

Not everyone wants a desktop app
Sharing links is easier than sending .bar files
I wanted to prove the same security works in a browser
I wanted to flex my full-stack muscles 💪

Both versions use the same encryption standards (AES-256-GCM), so pick your poison!

Try It Yourself!

🌐 Live Demo: https://bar-rnr.vercel.app/

Fair warning: The backend is on a free tier that hibernates when not in use. If it's slow to load, give it ~50 seconds to wake up, stretch, and grab some coffee. After that? Lightning fast. ⚡

Want to self-host? The code is on GitHub:
🔗 Web Version: github.com/Mrtracker-new/BAR_RYY

Want the desktop app instead?
🔗 Desktop Version (v2.0.0): github.com/Mrtracker-new/BAR

The desktop version has the panic button and deadman switch—perfect for the truly paranoid! 😈

Things I Learned (The Hard Way)

Encryption is HARD. Like, "I rewrote this 5 times" hard. Don't roll your own crypto. Use battle-tested libraries.
UX matters for security tools. If your security tool is annoying to use, people won't use it. Then they'll go back to emailing passwords in plaintext. 😭
Free hosting has trade-offs. The 50-second wake-up time on Render? Yeah, that's the price of free. Still worth it though!
People LOVE the webhook notifications. I thought it was a silly feature. Turns out everyone wants to know when their file gets accessed. It's like having a security camera for your data.
"Zero-knowledge" is a great pitch. Telling users "I literally CAN'T read your files" is way more reassuring than "I promise I won't read your files."

What's Next?

Some ideas I'm toying with:

Mobile app (because why not go full circle?)
Browser extension (right-click → "Share securely")
Email integration (auto-generate BAR links in Gmail)
Expiring messages (not just files, but text too)

But honestly? I built this mostly because I thought it was cool. If even one person uses it to send a password securely instead of over Slack, I'll call it a win. 🎉

The Real Talk Section

Is this production-ready? For personal use? Absolutely. For enterprise secrets? Maybe test it first. 😅

Can you read my files? Nope! Zero-knowledge means zero-knowledge. I don't have your password, so I can't decrypt anything.

What if the server goes down? If you used client-side mode (downloaded the .bar file), you're fine—it's on your machine. If you used server-side (link sharing), well... RIP. Back up important stuff.

Is this actually secure? I'm not a cryptographer, but I used industry-standard algorithms (AES-256, PBKDF2, HMAC-SHA256) implemented by people way smarter than me. The code is open source, so feel free to audit it!

Try It, Break It, Tell Me About It

Seriously, go play with it: bar-rnr.vercel.app

Upload a file, set it to self-destruct, feel like James Bond for 30 seconds. If you find bugs (or ways to break it), open an issue on GitHub. I accept PRs, feature requests, and memes.

And if you're thinking "this is over-engineered for sharing cat pictures"—you're absolutely right. But wouldn't you rather share those cat pictures with military-grade encryption? 😺🔐

Made with ☕, 💻, and a healthy dose of paranoia.

P.S. - Want the desktop version with the panic button? Check out github.com/Mrtracker-new/BAR for the 100% offline, extra-paranoid version! 🚨

DEV Community