Configuration
Snip is configured entirely through environment variables.
Environment Variables
| Variable | Default | Description |
|---|---|---|
SNIP_HOST | 0.0.0.0 | Listen host address |
SNIP_PORT | 53524 | Listen port number |
SNIP_BASE_URL | http://localhost:53524 | Public URL used in share links and API responses |
SNIP_DB_PATH | ./data/snip.db | SQLite database file path |
SNIP_ADMIN_PASSWORD | (empty) | Admin password for protected endpoints |
SNIP_JWT_SECRET | (auto-generated) | JWT signing key. Set this in production! |
SNIP_MAX_SIZE | 10485760 | Maximum paste size in bytes (10MB) |
SNIP_ALLOW_ANONYMOUS | true | Allow unauthenticated paste creation |
Important: Always set
SNIP_JWT_SECRET to a strong random string in production. The auto-generated secret changes on each restart, invalidating all tokens.
Configuration Examples
Minimal Production Setup
.env
SNIP_BASE_URL=https://snip.yourdomain.com
SNIP_JWT_SECRET=$(openssl rand -hex 32)Docker Environment
docker-compose.yml
environment:
- SNIP_BASE_URL=https://snip.yourdomain.com
- SNIP_JWT_SECRET=your-random-32-byte-secret
- SNIP_PORT=53524
- SNIP_DB_PATH=/app/data/snip.db
- SNIP_MAX_SIZE=10485760Custom Port and Host
bash
SNIP_HOST=127.0.0.1 SNIP_PORT=8080 ./snipDatabase
Snip uses SQLite with WAL (Write-Ahead Logging) mode for concurrent read access. The database file is created automatically on first run.
Schema
The database has two tables with automatic migration:
- pastes - Stores all paste data including content, metadata, and password hashes
- api_tokens - Stores API token hashes (tokens are never stored in plain text)
- schema_version - Tracks migration version for safe schema upgrades
Database Indexes
| Index | Column(s) | Purpose |
|---|---|---|
idx_pastes_slug | slug | Fast paste lookup by slug |
idx_pastes_expires | expires_at | Efficient cleanup of expired pastes |
idx_pastes_created | created_at DESC | Chronological listing |
idx_tokens_hash | token_hash | Fast API token lookup |
idx_pastes_burn | burn_after_read, views | Efficient burn-after-read cleanup |
Backup
Create a database backup via the API:
bash
curl -X POST http://localhost:53524/api/v1/backup \
-H "Authorization: snip_your_token"Or manually copy the database file (ensure Snip is stopped or use SQLite's backup API):
bash
cp /var/lib/snip/snip.db /backup/snip-$(date +%Y%m%d).dbRate Limiting
Default rate limit: 120 requests per minute per IP address. Rate limiting is applied globally to all endpoints.
When exceeded, the server returns HTTP 429 (Too Many Requests).
Security Headers
Snip automatically sets these security headers on all responses:
| Header | Value |
|---|---|
X-Content-Type-Options | nosniff |
X-Frame-Options | DENY |
Referrer-Policy | strict-origin-when-cross-origin |
Permissions-Policy | geolocation=(), microphone=(), camera=() |
Content-Security-Policy | Restricted to self + CDN sources |