Keywords for SEO: No javascript , js free , privacy focused
Crowbar Forum, a fully fledged somewhat secure, self hostable forum software built with C#, ASP.NET, Razor that DOESN'T USE ANY JAVASCRIPT BY DEFAULT.
All the forums that don't use JS seem to be written in PHP, which is as a language laughably insecure, so I decided to make my own forum software striving to be more secure and modern than the PHP ones. I decided to go with ASP.NET, because it has good support for generating dynamic HTML content with Razor and, because it has a good inbuilt authentication and authorization system.
- Basic forum features like creating threads, comments etc...
- Altcha
POW catpcha integration (the only thing that uses JS in the whole project) - Rate limits
- Admin only categories
- Can make threads visible to members only
- Customizable
- Markdown support
- Built with security in mind, passed my own penetration tests
- WAF you can customize
- Access checks at every level reduces broken authorization vulnerabilities
- All JS blocked by server and enforced with a strict content security policy to prevent the effects of XSS and tracking (unless captcha enabled)
- Metadata, HTTP requests nor anyhting like that is logged
- Admin can wipe the forum of all data in case he suspects that an intruder is inside the server
You can use dotnet on bare metal or use Docker. Docker is more recommended due to security reasons. It is also recommended to set up a reverse proxy like caddy if you are planning to run this as a clearnet site.
Note
Look through the settings at Crowbar/Settings/appsettings.json before launching a production version.
git clone https://github.com/Varppi/CrowbarForum
cd CrowbarForum/Crowbar
mkdir Crowbar/Database
docker build -t crowbar -f Crowbar/Dockerfile .
docker run --name crowbarforum_instance -v Crowbar/Database:/app/Database -v Crowbar/Settings:/app/Settings -p 8080:8080 crowbargit clone https://github.com/Varppi/CrowbarForum
cd CrowbarForum/Crowbar/Crowbar
dotnet tool install --global dotnet-ef
export PATH=$PATH:~/.dotnet # Adding dotnet tool path to your $PATH variable (optional)
dotnet ef migrations remove
dotnet ef migrations add ApplicationDbContextMigration
dotnet ef database update
dotnet runRemember, you can customize the CSS yourself easily if you want to change things up a little.
By default Crowbar Forum uses SQLite, but you can also use MSSQL or MySQL by changing the "database" field to mysql/sqlite/mssql/postgre and the "DefaultConnection" to match the format below:
Data Source=crowbarforum.db;
Server=myserver;Database=mydb;User=myuser;Password=mypassword;
Edit WafRegex.txt in the Settings directory.
You can find the encryption key setting in the Settings/appsettings.json file. You can insert whatever password or random string you want, but if you put RANDOMIZE_KEY it will generate a random password at each startup. This also means that if you shut down the server, the database will be gone.
With security being the main focus on this project, a lot of thought went into it. Here's a list of all the security mechanisms.
- WAF sends a custom sized 404 page with a custom status code which makes directory bruteforcing much more tedious.
- Every action needs to be accompanied by a valid user claim making sure that even if an unauthenticated or unauthorized user managed to bypass the higher level security measures, the user still wouldn't be able to make anything happen.
- At no point does the program make custom SQL statements. Everything goes through Ef Core ORM.
- All user inputs are validated.
- Almost everything is stored in an encrypted form. The key is specified in appsettings.json.
Caution
No software is safe and things always get overlooked. If you have any tech expertise, I urge you to go through the code yourself and report vulnerabilities if you find any.
The most probable vulnerabilities to be found in this project are probably DOS and incorrect authorization vulnerabilities due to the structure of the project. Most data that a view uses doesn't go through a getter which could lead to potentially sensitive information being sent to an attacker. I've of course taken action and looked through the code and fixed all the vulnerabilities I could find, but there might still be some left.
I'm just a single person making this, so it might take a while. Contributions are always welcome :)
- In rest encryption
- Reply function
- Likes
- Easily customizable forum name
- More customizable profile (description, pgp key etc)
- Customizable WAF
- Clean up code
- Support for hiding threads from non members
- Setting to allow or disallow attachment downloads from non members
- Admin only threads for announcements
- Invite codes
- Option to not have permanent encryption key, instead randomly generate one at startup
- Thread locking
- File storage
- Ranks
- Webhooks