Security

StarkLite is designed for temporary access. Treat the generated password like an SSH key — anyone holding it can read (or with default settings, modify) the database.

What StarkLite does for you

  • Random credentials per launch. A 16-character password is generated using a cryptographically secure RNG. A random port in 6000–6999 reduces casual probing.
  • bcrypt password hashing. The password is hashed once at startup; the plaintext is held only in memory and on stdout.
  • Login rate limiting. 5 failed attempts per minute per IP blocks further attempts for that minute.
  • Session cookies are HttpOnly and SameSite=Lax, mitigating XSS and cross-site request forgery.
  • Read-only enforcement at two levels. --readonly opens the database file read-only via the driver AND rejects mutating handlers up-front.
  • Bounded SQL. The SQL console enforces a 30-second per-query timeout.

What you should do

  • Prefer --bind-localhost and access via an SSH tunnel rather than exposing the port to the public internet.
  • Set --expire and --idle-timeout so the process can't be forgotten and left running.
  • Use --readonly unless you specifically need to edit data.
  • Terminate the process (Ctrl-C) when you're done. The binary leaves no service installed.
  • Do not run StarkLite as root. Run as a user with read (or read+write, deliberately) access to the SQLite file only.
  • If you must expose it publicly, put a TLS-terminating reverse proxy in front (see the SSH/proxy guide).

Threat model — what StarkLite does not protect against

  • An attacker on the same host as the StarkLite process (they can read its memory and the SQLite file directly).
  • A user with a copy of your terminal scrollback or any place the printed password was captured.
  • Network sniffing on plaintext HTTP — StarkLite does not terminate TLS itself. Use SSH tunneling or a reverse proxy if the channel is untrusted.

Reporting vulnerabilities

Please report security issues privately via GitHub security advisories on the project repository. Do not open a public issue with reproduction details.