Security
StarkLite is designed for temporary access. Treat the generated password like an SSH key — anyone holding it can read (or with default settings, modify) the database.
What StarkLite does for you
- Random credentials per launch. A 16-character password is generated using a cryptographically secure RNG. A random port in 6000–6999 reduces casual probing.
- bcrypt password hashing. The password is hashed once at startup; the plaintext is held only in memory and on stdout.
- Login rate limiting. 5 failed attempts per minute per IP blocks further attempts for that minute.
- Session cookies are
HttpOnlyandSameSite=Lax, mitigating XSS and cross-site request forgery. - Read-only enforcement at two levels.
--readonlyopens the database file read-only via the driver AND rejects mutating handlers up-front. - Bounded SQL. The SQL console enforces a 30-second per-query timeout.
What you should do
- Prefer
--bind-localhostand access via an SSH tunnel rather than exposing the port to the public internet. - Set
--expireand--idle-timeoutso the process can't be forgotten and left running. - Use
--readonlyunless you specifically need to edit data. - Terminate the process (Ctrl-C) when you're done. The binary leaves no service installed.
- Do not run StarkLite as root. Run as a user with read (or read+write, deliberately) access to the SQLite file only.
- If you must expose it publicly, put a TLS-terminating reverse proxy in front (see the SSH/proxy guide).
Threat model — what StarkLite does not protect against
- An attacker on the same host as the StarkLite process (they can read its memory and the SQLite file directly).
- A user with a copy of your terminal scrollback or any place the printed password was captured.
- Network sniffing on plaintext HTTP — StarkLite does not terminate TLS itself. Use SSH tunneling or a reverse proxy if the channel is untrusted.
Reporting vulnerabilities
Please report security issues privately via GitHub security advisories on the project repository. Do not open a public issue with reproduction details.