100% open-source

Host your own Seecret.it

A minimalistic, fully open-source version of Seecret.it. Vanilla JavaScript frontend, PHP + SQLite backend (single file). Deploy in 30 seconds on any shared hosting.

View on GitHub Try the hosted version
100% open-source

Why this version?

Trust is earned. Rather than promise we don't read your secrets, we give you the code so you can verify — and host it yourself if you want total control.

Open-source

What you get

AES-GCM 256-bit

Authenticated client-side encryption via the browser's native Web Crypto API. No dependencies, no build step.

Zero-knowledge

The key stays in the URL # fragment — never sent to the server. Even a compromised database reveals nothing.

Atomic destruction

SQLite BEGIN IMMEDIATE transaction: read and delete in one operation, guaranteed race-free.

Configurable expiry

5 minutes, 1 hour, 1 day, 7 days, 30 days. Lazy purge on every request.

Optional password

Extra layer with PBKDF2 SHA-256 derivation and 600,000 iterations (OWASP 2023 recommendation).

Vanilla JavaScript

No framework, no NPM, no Composer dependency. Readable and auditable in 5 minutes.

Built-in rate-limit

20 creates + 60 reads per minute per IP — hashed with daily salt, never in cleartext.

Anti-bot preview gate

A checkbox gate prevents Discord, Slack, and WhatsApp bots from burning your link.

CLI

Install in 30 seconds

Three commands, any PHP hosting. The data/ folder is auto-created, the pdo_sqlite extension is usually already installed.

# 1. git clone https://github.com/Seecret-it/seecret.it.git
# 2. cd seecret.it
# 3. php -S localhost:8000

Requirements: PHP ≥ 8.0 with pdo_sqlite extension (package php-sqlite3 on Debian/Ubuntu)

Security

Audited, hardened, transparent

All best practices applied by default. Full threat model in the repo README.

PDO prepared statements everywhere (zero SQL injection)

Strict Content-Security-Policy + X-Frame DENY + Referrer-Policy no-referrer

Content-Type: application/json required (CSRF mitigation)

Global cap of 50,000 secrets (disk DoS protection)

history.replaceState after read: the key disappears from history

Apache .htaccess blocks dotfiles, SQLite, logs and directory listing

Compare

Open-source vs hosted version

Open-source covers the fundamentals. The SaaS version on seecret.it adds professional features.

Open-source

Included in self-hosted version

  • Encrypted text, one-time link
  • Expiry from 5 min to 30 days
  • Optional password
  • Readable, auditable code
  • Host it yourself, native GDPR compliance
  • No tracking, no analytics
SaaS

Available only on seecret.it

  • Encrypted file uploads
  • User accounts and history
  • Public inbox @yourslug
  • Browser and Thunderbird extensions
  • Multi-party sharing (Shamir)
  • REST API + webhooks + email notifications

Ready to host your own instance?

The repo is public, the license is open, contributions are welcome.

Clone on GitHub