Introduction

Secure, one-time secret sharing made simple.

Designed, developed and maintained by Alex Fadez.

SneakPeek showcases my full-stack development skills and workflow, combining modern frameworks and best practices to deliver a secure, scalable, and production-quality web application.

Live demo

sneakpeek.alexfadez.com

Features

Backend

• Laravel framework
  • RESTful API using Laravel API Resources with clean controllers and rate-limited routes
  • Eloquent ORM with custom scopes, accessors, and API Resources
  • Database migrations with proper indexing for performance and integrity
  • A scheduled command to permanently wipe expired secrets from the database
  • Custom error response handling
  • A/B testing and feature flags, powered by Laravel Pennant
  • Real-time event broadcasting and a live statistics dashboard, powered by Laravel Echo
• Maximum privacy & security
  • End-to-end privacy — no authentication, no logs
  • Custom privacy-first session handler that doesn't store any user information
  • Secrets can only be accessed once, then wiped permanently
  • Secret content encrypted using Laravel's built-in encryption
  • Secret access tokens (hashed in DB) stored in the URL # hash fragment to prevent server-side logging, analytics tracking, or accidental leakage via Referer header
  • Secrets have optional passphrase (hashed in DB)
  • Mandatory expiration time for secrets
  • Minimized framework headers and error masking to prevent framework identification, fingerprinting, and targeted exploits
  • API throttling (rate limiting) to prevent brute-force attacks
  • Laravel Sanctum integration for robust CSRF protection and secure API state management
• Clean architecture
  • Readable, maintainable code with scoped responsibilities
  • SOLID principles applied throughout
• Quality Assurance (QA)
  • Strict code consistency and PSR-12 compliance, enforced by Laravel Pint
  • Strict static analysis with maximum type safety across the entire codebase with PHPStan level 10 (maximum strictness), enforced by Larastan
  • A comprehensive suite of unit, feature, and browser tests using Pest, utilizing its native Playwright integration for E2E browser testing
  • Architectural integrity, enforced by Pest's native architecture testing, ensuring structural conventions across the codebase
  • 100% type coverage across the codebase, enforced by Pest's native type coverage plugin
  • Automated code upgrades and modernization by Rector, with Laravel-specific rules for idiomatic refactoring

Frontend

• Vue.js
  • Composition API with the <script setup> syntax for clean components
  • Modular, component-based structure with reusable Single File Components (SFC)
  • Single-page application (SPA) architecture powered by Vue Router
  • Consistent naming conventions and directory organization for ease of navigation and scalability
  • Pinia for centralized state management and application-wide reactive data
  • Centralized notification system powered by Pinia store, providing a unified API for toast notifications across the entire application
• Tailwind CSS
  • Fully custom UI/UX design crafted from scratch, with no third-party UI component libraries
  • Modern utility-first styling for mobile-first responsive design
  • Light and dark mode support with automatic switching
  • Comprehensive support for seamless keyboard-only navigation, ensuring full accessibility compliance and superior user experience for power users
• Vite
  • Lightning-fast builds and production optimization

CI/CD

• Continuous Integration (CI)
  • Automated CI pipeline using Laravel Pint, PHPStan, Pest, and Playwright via GitHub Actions on every push
• Continuous Deployment (CD)
  • Automated CD pipeline that deploys to a Google Cloud Compute Engine instance via SSH
  • Secure SSH orchestration using encrypted GitHub Secrets and SSH key pairs for automated remote deployment

Deployment & DX

• Deployment
  • Zero-friction deployment with included deployment script and nginx server configuration template
  • Live demo is deployed on Google Cloud, protected by Cloudflare using best practices:
    • Full (Strict) SSL/TLS to eliminate man-in-the-middle vulnerabilities by requiring a trusted Cloudflare origin CA certificate
    • Authenticated Origin Pulls (mTLS) to ensure that only connections routed through Cloudflare WAF can reach the server, effectively cloaking the origin server from direct IP-based attacks
    • Region-based Cloudflare security rules to restrict network access from undesired geographic areas
    • Both restoring original visitor IPs and all web server logging are deliberately disabled to maximize visitor privacy by ensuring IP addresses are never retained or logged, eliminating associated risks
• Developer Experience (DX)
  • Custom composer.json scripts streamline application setup, linting, testing, and automated code refactoring/upgrades, enabling a smooth and modern developer workflow
  • Easy onboarding with a single composer setup command that handles environment setup, creates the SQLite database, and installs dependencies
  • Laravel Boost integration for Cursor via MCP (Model Context Protocol) server accelerates AI-assisted development by providing the essential context and structure that AI needs
  • Laravel Debugbar is included for local debugging and profiling
  • Automated formatting with Prettier for consistent code style

Installation

Note

Requires PHP v8.5+, Node.js v24+ with npm, Composer and Git

Tip

Using Laravel Herd as your local development environment is highly recommended.

Application setup

Go to your Laravel Herd sites folder and run:

git clone https://github.com/fadez/sneakpeek.git && cd sneakpeek && composer setup

Note

SneakPeek requires HTTPS.

If you're using Laravel Herd, you can enable HTTPS by running:

herd secure sneakpeek

Broadcasting setup (optional)

SneakPeek offers real-time broadcasting support through either the Laravel Reverb or Pusher Channels.

Broadcasting setup with Pusher

First, you need to create a Pusher Channels application.

Next, you need to update the .env file with Pusher credentials and set BROADCAST_CONNECTION to pusher:

BROADCAST_CONNECTION=pusher
PUSHER_APP_ID=your-app-id
PUSHER_APP_KEY=your-app-key
PUSHER_APP_SECRET=your-app-secret
PUSHER_APP_CLUSTER=your-cluster

Finally, run this to enable broadcasting:

npm run build

Broadcasting setup with Laravel Reverb

First, run this command and enable the Laravel Reverb driver when prompted in the terminal:

composer install:reverb

Next, you need to run this to apply changes:

npm run build

Finally, start the Laravel Reverb server to enable broadcasting:

php artisan reverb:start

Visiting the site

If you're using Laravel Herd, you can now access the app at sneakpeek.test.

Available commands

Code quality

• composer lint - Runs Rector and Laravel Pint
• composer test:lint - Runs Rector and Laravel Pint in dry-run mode for CI/CD pipelines

Testing

• composer test:type-coverage - Runs Pest type coverage checks (ensures 100% type coverage)
• composer test:types - Runs PHPStan at level 10 (maximum strictness)
• composer test:unit - Runs all Pest tests (unit, feature, browser and architecture tests)
• composer test - Runs the complete test suite (type coverage, static analysis, linting, and all Pest tests)

Maintenance

• composer update:requirements - Updates all Composer and npm dependencies and rebuilds frontend assets