Secure, one-time secret sharing made simple.
Built by @fadez in Cursor using Laravel, Vue.js and Tailwind CSS.
SneakPeek showcases my full-stack development skills and workflow, combining modern frameworks and best practices to deliver a secure, scalable, and production-quality web application.
- Laravel framework v13
- RESTful API using Laravel API Resources with clean controllers and rate-limited routes
- Eloquent ORM with custom scopes, accessors, and API Resources
- Database migrations with proper indexing for performance and integrity
- A scheduled command to permanently wipe expired secrets from the database
- Custom error response handling
- A/B testing and feature flags, powered by Laravel Pennant
- Real-time event broadcasting and statistics dashboard, powered by Laravel Echo and Pusher Channels
- Maximum privacy & security
- End-to-end privacy — no authentication, no logs
- Custom privacy-first session handler that doesn't store any user information
- Secrets can only be accessed once, then wiped permanently
- Secret content encrypted using Laravel's built-in encryption
- Secret access tokens (hashed in DB) stored in the URL
#hash fragment to prevent server-side logging, analytics tracking, or accidental leakage viaRefererheader - Secrets have optional passphrase (hashed in DB)
- Mandatory expiration time for secrets
- Minimized framework headers and error masking to prevent framework identification, fingerprinting, and targeted exploits
- API throttling (rate limiting) to prevent brute-force attacks
- Laravel Sanctum integration for robust CSRF protection and secure API state management
- Clean architecture
- Readable, maintainable code with scoped responsibilities
- SOLID principles applied throughout
- Quality Assurance (QA)
- A comprehensive suite of unit, feature, and browser tests using Pest, utilizing its native Playwright integration for E2E browser testing
- Strict code consistency and PSR-12 compliance, enforced by Laravel Pint
- Strict static analysis with maximum type safety across the entire codebase with max PHPStan level, enforced by Larastan
- Automated code upgrades and modernisation enforced by Rector, with Laravel-specific rules for idiomatic refactoring
- Vue.js v3.5
- Composition API with the
<script setup>syntax for clean components - Modular, component-based structure with reusable Single File Components (SFC)
- Single-page application (SPA) architecture powered by Vue Router
- Consistent naming conventions and directory organization for ease of navigation and scalability
- Pinia for centralized state management and application-wide reactive data
- Centralized notification system powered by Pinia store, providing a unified API for toast notifications across the entire application
- Composition API with the
- Tailwind CSS v4.2
- Fully custom UI/UX design crafted from scratch, with no third-party UI component libraries
- Modern utility-first styling for mobile-first responsive design
- Light and dark mode support with automatic switching
- Comprehensive support for seamless keyboard-only navigation, ensuring full accessibility compliance and superior user experience for power users
- Vite
- Lightning-fast builds and production optimization
- Continuous Integration (CI)
- Automated CI pipeline using Laravel Pint, PHPStan, Pest, and Playwright via GitHub Actions on every push
- Continuous Deployment (CD)
- Automated CD pipeline that deploys to a Google Cloud Compute Engine instance via SSH
- Secure SSH orchestration using encrypted GitHub Secrets and SSH key pairs for automated remote deployment
- Deployment
- Zero-friction deployment with included deployment script and nginx server configuration template
- Live demo is deployed on Google Cloud, protected by Cloudflare using best practices:
- Full (Strict) SSL/TLS to eliminate man-in-the-middle vulnerabilities by requiring a trusted Cloudflare origin CA certificate
- Authenticated Origin Pulls (mTLS) to ensure that only connections routed through Cloudflare WAF can reach the server, effectively cloaking the origin server from direct IP-based attacks
- Region-based Cloudflare security rules to restrict network access from undesired geographic areas
- Both restoring original visitor IPs and all web server logging are deliberately disabled to maximize visitor privacy by ensuring IP addresses are never retained or logged, eliminating associated risks
- Developer Experience (DX)
- Custom
composer.jsonscripts streamline application setup, linting, and testing for a smooth developer workflow - Easy onboarding with a single command that handles environment setup, SQLite database creation, and dependency installation
- Laravel Boost integration for Cursor via MCP (Model Context Protocol) server accelerates AI-assisted development by providing the essential context and structure that AI needs
- Automated linting and formatting using Prettier to ensure a standardized code style across all Vue and CSS files
- Laravel Debugbar is included for local debugging and profiling
- Custom
Before beginning installation, make sure that your local machine has:
Using Laravel Herd as your local development environment is highly recommended.
Go to your Laravel Herd sites folder and run:
git clone https://github.com/fadez/sneakpeek.git && cd sneakpeek && composer setupMake sure to secure the site with TLS:
herd secure sneakpeekSneakPeek offers real-time broadcasting support through either the Laravel Reverb or Pusher Channels.
First, you need to create a Pusher Channels application.
Next, you need to update the .env file with Pusher credentials and set BROADCAST_CONNECTION to pusher:
BROADCAST_CONNECTION=pusher
PUSHER_APP_ID=your-app-id
PUSHER_APP_KEY=your-app-key
PUSHER_APP_SECRET=your-app-secret
PUSHER_APP_CLUSTER=your-clusterFinally, run this to enable broadcasting:
npm run buildFirst, you need to install and enable Laravel Reverb:
composer setup:reverbLaravel Reverb will automatically update the .env file.
Next, you need to run this to apply changes:
npm run buildFinally, start the Laravel Reverb server to enable broadcasting:
php artisan reverb:startIf you're using Laravel Herd, you can now access the app at sneakpeek.test.
You can run the full test suite, PHPStan and Laravel Pint with a single command:
composer test