PHPackages madebyraygun/pssst - PHPackages - PHPackages [Skip to content](#main-content)[PHPackages](/)[Directory](/)[Categories](/categories)[Trending](/trending)[Leaderboard](/leaderboard)[Changelog](/changelog)[Analyze](/analyze)[Collections](/collections)[Log in](/login)[Sign up](/register) 1. [Directory](/) 2. / 3. [Security](/categories/security) 4. / 5. madebyraygun/pssst ActiveProject[Security](/categories/security) madebyraygun/pssst ================== A lightweight single-user application to securely submit and retrieve information via the web. 0.1.0(1y ago)04[5 issues](https://github.com/madebyraygun/pssst/issues)MITPHPPHP >=8.2.0 Since Oct 16Pushed 1y ago1 watchersCompare [ Source](https://github.com/madebyraygun/pssst)[ Packagist](https://packagist.org/packages/madebyraygun/pssst)[ RSS](/packages/madebyraygun-pssst/feed)WikiDiscussions dev Synced 1mo ago READMEChangelog (1)Dependencies (8)Versions (2)Used By (0) PSSST! ====== [](#pssst) A lightweight PHP-based application to securely submit and retrieve information such as passwords via the web. No database required. Keep your secrets out of email and Slack! With the TOTP authentication and administrator email features enabled, this app functions as a single-user secret request form. (Meaning, only the administrator can get notified and retrieve secrets). By turning these features off, anyone can use the system to generate a secret, copy the generated link, and send via any secure channel. **Note** This application is still in development, and, given the presumably sensitive nature of the message contents, should be used with caution. Installation ------------ [](#installation) Upload the source files to a web server running PHP 8.2 or later, or use a local web server such as DDEV (configuration included) to test the application. If you're using a web server other than DDEV, make sure you set the `public` folder as the html root. From the terminal: `composer install` `cp .env.example .env` Edit the .env file to update the app settings. Include your Cloudflare Turnstile site key and Mailgun credentials (recommended but optional). ### Optional [](#optional) If you want to use a time-based OTP to protect your secrets, set `TOTP_ACTIVE` to "true" and generate an OPT key with the following terminal command: `echo "TOTP_SECRET=\"$(LC_ALL=C tr -dc 'A-Z2-7' > .env` Other configuration options --------------------------- [](#other-configuration-options) Choose a color theme by setting the `APP_THEME` setting. See for available themes. Upload a `logo.png` file to the `public\assets\` directory to set a custom logo. Use the filenames `logo-light.png` and `logo-dark.png` to set different logos for light and dark mode. Disable the Github repo link by setting `SHOW_GITHUB_LINK` to false. Usage ----- [](#usage) On first run, if you're using TOPT, generate your authenticator secret at `/generate-totp`. This is a unique secret that is based on your admin email address and the TOTP\_SECRET value in your .env file. You will use the dynamically generated 6 digit code to retrieve and delete secrets. Save this URL to your authenticator program. --- ### Extremly important note [](#extremly-important-note) The `generate-totp` endpoint is only available when the app is in "dev" mode. It is extremely important that you **only** run the publicly accessible site in "production" mode. Running a publicly accessible site in "dev" mode can expose your TOTP authentication credentials. If you make this mistake, be sure to regenerate your `TOTP_SECRET` key and update your authenticator. --- Create a new secret using the form at the main URL of your application. The secret contents will be saved as a JSON file in the `data` folder, and the contents of the message will be encrypted wi a "key" that is included in the retrieve URL. The server administrator cannot view the contents of the secret without that key. A URL will be generated to retrieve the secret. If you've set up Mailgun, the URL will be emailed to the administrator. Otherwise, the URL will be displayed on the `/created/` page after the secret has been successfully saved. The `retrieve` endpoint is protected by the TOTP authentication you set up earlier. Enter your code to view and delete your secrets. Roadmap ------- [](#roadmap) - Add automatic time-based expiration of secrets - Add "delete after view" for secrets - Add translation support - Security review ### Health Score 24 — LowBetter than 32% of packages Maintenance37 Infrequent updates — may be unmaintained Popularity3 Limited adoption so far Community7 Small or concentrated contributor base Maturity41 Maturing project, gaining track record Bus Factor1 Top contributor holds 100% of commits — single point of failure How is this calculated?**Maintenance (25%)** — Last commit recency, latest release date, and issue-to-star ratio. Uses a 2-year decay window. **Popularity (30%)** — Total and monthly downloads, GitHub stars, and forks. Logarithmic scaling prevents top-heavy scores. **Community (15%)** — Contributors, dependents, forks, watchers, and maintainers. Measures real ecosystem engagement. **Maturity (30%)** — Project age, version count, PHP version support, and release stability. ### Release Activity Cadence Unknown Total 1 Last Release 579d ago ### Community Maintainers ![](https://www.gravatar.com/avatar/e02ff0b466f74ebaa2909e2c366a1675d2d319aa5a35624e2a6fd74ffc6c73e9?d=identicon)[madebyraygun](/maintainers/madebyraygun) --- Top Contributors [![daltonrooney](https://avatars.githubusercontent.com/u/742045?v=4)](https://github.com/daltonrooney "daltonrooney (34 commits)") --- Tags phpwebsecuritypasswordapplicationprivacy ### Embed Badge ![Health badge](/badges/madebyraygun-pssst/health.svg) ``` [![Health](https://phpackages.com/badges/madebyraygun-pssst/health.svg)](https://phpackages.com/packages/madebyraygun-pssst) ``` ### Alternatives [asbiin/laravel-webauthn Laravel Webauthn support 309574.8k](/packages/asbiin-laravel-webauthn)[firehed/security Security tools for PHP 2374.9k2](/packages/firehed-security)[pentagonal/phpass PHP password hashing library original by open wall PhPass 121.6k](/packages/pentagonal-phpass) PHPackages © 2026 [Directory](/)[Categories](/categories)[Trending](/trending)[Changelog](/changelog)[Analyze](/analyze)