Name	Name	Last commit message	Last commit date
Latest commit History 22 Commits
.github/workflows	.github/workflows
tests	tests
.gitignore	.gitignore
CLAUDE.md	CLAUDE.md
LICENSE	LICENSE
README.md	README.md
composer.json	composer.json
index.php	index.php
phpunit.xml	phpunit.xml

HopTransfert 🚀

A minimalist, secure, and anonymous file sharing solution

HopTransfert is a single-file PHP application that enables secure, password-protected file sharing without requiring user registration or complex setup. Perfect for quick, secure file transfers with automatic cleanup.

PHP Version License Security

image

✨ Features

🔐 Password Protected: Files are secured with user-defined passwords
👤 Anonymous: No user registration or login required
🗑️ Auto-Cleanup: Files automatically deleted after download
🛡️ Secure: OWASP Top 10 compliant with comprehensive security measures
⚡ Rate Limited: Built-in protection against abuse (5-second intervals per IP)
📁 Single File: Entire application in one PHP file
💾 No Database: Uses JSON for metadata storage
🎨 Clean UI: Responsive design with Tailwind CSS
📱 Mobile Friendly: Works perfectly on all devices
🔬 Tested: Comprehensive security test suite with PHPUnit
🤖 CI/CD: GitHub Actions for automated testing and code review

🚀 Quick Start

Requirements

PHP 8.1 or higher
Web server (Apache, Nginx, etc.)
Write permissions for the application directory

Installation

Download the application:

wget https://raw.githubusercontent.com/yourusername/HopTransfert/main/index.php

Upload to your web server:

# Upload index.php to your web root directory
cp index.php /var/www/html/

Set proper permissions:

chmod 755 /var/www/html/index.php
chmod 755 /var/www/html/ # Ensure directory is writable

Access your application:
```
https://yourdomain.com/index.php
```

That's it! The application will automatically create the required directories and files on first run.

🏗️ Directory Structure

After first run, HopTransfert creates the following structure:

your-web-root/
├── index.php # Main application file
├── data/ # Application data directory
│ ├── files.json # File metadata database
│ ├── download.log # Download tracking for rate limiting
│ └── php_errors.log # Error logs
└── download/ # File storage directory
 ├── .htaccess # Access protection
 └── [uuid-files] # Uploaded files (UUID named)

📖 How It Works

1. Upload Process

User selects a file and sets a download password
File is uploaded and stored with a unique UUID filename
Password is securely hashed using PHP's password_hash()
User receives a clean download link (no password in URL)

2. Download Process

Recipient clicks the download link
Password form is displayed showing the original filename
Recipient enters the password via secure POST form
If password is correct, file downloads immediately
File and metadata are automatically deleted after successful download

3. Security Features

Rate Limiting: 5-second intervals per IP address
Secure File Storage: Files stored outside web root with UUID names
Password Protection: Secure hashing with verification
Input Sanitization: All inputs sanitized against XSS
Access Control: Download directory protected by .htaccess
CSRF Protection: Cross-Site Request Forgery protection with tokens
HTTP Response Splitting: Secure header handling

⚙️ Configuration

All configuration is done via constants at the top of index.php:

// Rate limiting
const DOWNLOAD_RATE_LIMIT_SECONDS = 5;
// File upload limits
const MAX_FILE_SIZE = 50 * 1024 * 1024; // 50MB
// Allowed file extensions
const ALLOWED_EXTENSIONS = ['jpg', 'jpeg', 'png', 'gif', 'pdf', 'txt', 'doc', 'docx', 'zip', 'rar'];
// Security
const PASSWORD_MIN_LENGTH = 6;
...

Customization Options

Setting	Default	Description
`DOWNLOAD_RATE_LIMIT_SECONDS`	5	Seconds between downloads per IP
`MAX_FILE_SIZE`	50MB	Maximum file upload size
`ALLOWED_EXTENSIONS`	Various	Whitelist of allowed file types
`HASH_SALT`	'your-secret-salt-here'	Hash salt used for data anonymization
`PASSWORD_MIN_LENGTH`	6	Minimum password length
`MAX_LOG_LINES`	5	Prevent log bloat

🔒 Security Features

HopTransfert implements multiple layers of security:

OWASP Top 10 Compliance

A01 Broken Access Control: Files protected by UUID and .htaccess
A02 Cryptographic Failures: Secure password hashing with password_hash()
A03 Injection: All inputs sanitized with htmlspecialchars()
A04 Insecure Design: Rate limiting and secure file handling
A05 Security Misconfiguration: Proper error logging, no debug info exposure
A06 Vulnerable Components: Self-contained, minimal dependencies
A07 Authentication Failures: Secure password verification
A08 Software Integrity: Single-file application
A09 Logging Failures: Comprehensive error and access logging
A10 Server-Side Request Forgery: No external requests made

Additional Security Measures

UUID File Names: Prevents path traversal and filename conflicts
POST-based Authentication: Passwords never exposed in URLs
Automatic Cleanup: Reduces attack surface by removing files
File Type Validation: Whitelist-based file extension checking
Error Handling: Secure error logging without information disclosure
CSRF Protection: Form-based CSRF tokens prevent unauthorized actions
Session Security: Optimized session management and security
Response Security: Prevents HTTP Response Splitting attacks

GDPR Compliance

Download log: Using hash (with a secret salt) instead of storing full IPs

Ressource control

Download log: Keeping log size bounded (truncating old lines)

🌟 Use Cases

Personal Use

Share documents with friends or colleagues
Send files that are too large for email
Temporary file sharing without cloud storage

Business Applications

Secure client file delivery
Internal document sharing
Temporary project file distribution
Contractor file exchanges

Development & Testing

Share build artifacts
Distribute test files
Quick file transfers between environments

🔧 Advanced Configuration

Web Server Configuration

Apache (.htaccess)

The application automatically creates .htaccess files, but you can enhance security:

# Additional security headers
<IfModule mod_headers.c>
 Header always set X-Content-Type-Options nosniff
 Header always set X-Frame-Options DENY
 Header always set X-XSS-Protection "1; mode=block"
</IfModule>
# Disable server signature
ServerTokens Prod
ServerSignature Off

Nginx

server {
 listen 443 ssl;
 server_name yourdomain.com;
 
 # Security headers
 add_header X-Content-Type-Options nosniff;
 add_header X-Frame-Options DENY;
 add_header X-XSS-Protection "1; mode=block";
 
 # Deny access to data directory
 location /data/ {
 deny all;
 }
 
 # Deny access to download directory
 location /download/ {
 deny all;
 }
 
 location ~ \.php$ {
 fastcgi_pass unix:/var/run/php/php8.1-fpm.sock;
 fastcgi_index index.php;
 include fastcgi_params;
 fastcgi_param SCRIPT_FILENAME $document_root$fastcgi_script_name;
 }
}

SSL/HTTPS Setup

For production use, always enable HTTPS:

# Using Certbot for Let's Encrypt
certbot --nginx -d yourdomain.com

File Size Limits

Adjust PHP settings for larger files:

; php.ini
upload_max_filesize = 100M
post_max_size = 100M
max_execution_time = 300
memory_limit = 256M

📊 Monitoring & Maintenance

Log Files

HopTransfert generates several log files for monitoring:

# View error logs
tail -f data/php_errors.log
# View download activity
tail -f data/download.log
# Check web server logs
tail -f /var/log/apache2/access.log

Maintenance Tasks

# Clean up old log files (optional)
find data/ -name "*.log" -mtime +30 -delete
# Monitor disk usage
du -sh data/ download/
# Check for orphaned files (shouldn't exist with auto-cleanup)
find download/ -type f -mtime +1

🐛 Troubleshooting

Common Issues

File Upload Fails

# Check permissions
ls -la /var/www/html/
chmod 755 /var/www/html/
# Check PHP configuration
php -i | grep upload_max_filesize
php -i | grep post_max_size

Downloads Not Working

# Verify .htaccess is working
curl -I https://yourdomain.com/download/test-file
# Check error logs
tail data/php_errors.log

Rate Limiting Too Strict

Edit index.php and adjust:

const DOWNLOAD_RATE_LIMIT_SECONDS = 1; // Reduce to 1 second

Debug Mode

For development, you can enable debug mode by modifying the error display settings:

// Temporarily enable for debugging (DO NOT use in production)
ini_set('display_errors', 1);
error_reporting(E_ALL);

🤝 Contributing

We welcome contributions! Please follow these guidelines:

Development Setup

git clone https://github.com/yourusername/HopTransfert.git
cd HopTransfert
# Install development dependencies
composer install
# Run security tests
composer test
# Set up your local web server to point to the directory
php -S localhost:8000 index.php

Code Style

Follow PSR-12 coding standards
Use meaningful variable names
Add comments for complex logic
Maintain security-first approach
Write tests for new security features
Ensure all tests pass before submitting PRs

Pull Request Process

Fork the repository
Create a feature branch (git checkout -b feature/AmazingFeature)
Commit your changes (git commit -m 'Add AmazingFeature')
Push to the branch (git push origin feature/AmazingFeature)
Open a Pull Request

Security Reports

Please report security vulnerabilities privately by emailing security@yourdomain.com.

📄 License

This project is licensed under the MIT License - see the LICENSE file for details.

🙏 Acknowledgments

Built with security best practices from OWASP
UI powered by Tailwind CSS
Inspired by the need for simple, secure file sharing
Accelerated development with Claude.AI

📞 Support

Documentation: Check this README and code comments
Issues: GitHub Issues
Discussions: GitHub Discussions

🔮 Roadmap

Multi-file upload support
Download expiration times
Admin panel for monitoring
Docker containerization
API endpoints
File preview capabilities

Made with ❤️ for secure, simple file sharing

HopTransfert - Because file sharing should be simple and secure.

License

fedir/HopTransfert

Folders and files

Latest commit

History

Repository files navigation