https://github.com/varppi/crowbarforum

Forum written in C# that doesn't use ANY JAVASCRIPT BY DEFAULT
https://github.com/varppi/crowbarforum

asp-net forum forum-software no-js razor-pages

Last synced: about 2 months ago
JSON representation

Forum written in C# that doesn't use ANY JAVASCRIPT BY DEFAULT

• Host: GitHub
• URL: https://github.com/varppi/crowbarforum
• Owner: varppi
• License: gpl-3.0
• Created: 2025-06-06T05:59:59.000Z (4 months ago)
• Default Branch: main
• Last Pushed: 2025-08-09T07:10:37.000Z (2 months ago)
• Last Synced: 2025-08-09T08:51:20.981Z (2 months ago)
• Topics: asp-net, forum, forum-software, no-js, razor-pages
• Language: HTML
• Homepage:
• Size: 3.26 MB
• Stars: 1
• Watchers: 0
• Forks: 0
• Open Issues: 0
• Metadata Files:
  • Readme: README.md
  • License: LICENSE

Awesome Lists containing this project

README

          


[![.NET](https://img.shields.io/badge/.NET-5C2D91?style=for-the-badge&logo=.net&logoColor=white)](https://img.shields.io/badge/.NET-5C2D91?style=for-the-badge&logo=.net&logoColor=white)

[![C#](https://img.shields.io/badge/c%23-%23239120.svg?style=for-the-badge&logo=csharp&logoColor=white)](https://img.shields.io/badge/c%23-%23239120.svg?style=for-the-badge&logo=csharp&logoColor=white)

[![Docker](https://img.shields.io/badge/docker-%230db7ed.svg?style=for-the-badge&logo=docker&logoColor=white)](https://img.shields.io/badge/docker-%230db7ed.svg?style=for-the-badge&logo=docker&logoColor=white)

[![Bootstrap](https://img.shields.io/badge/bootstrap-%238511FA.svg?style=for-the-badge&logo=bootstrap&logoColor=white)](https://img.shields.io/badge/bootstrap-%238511FA.svg?style=for-the-badge&logo=bootstrap&logoColor=white)

**Keywords for SEO:** No javascript , js free , privacy focused

### Crowbar Forum, a fully fledged somewhat secure, self hostable forum software built with C#, ASP.NET, Razor that *DOESN'T USE ANY JAVASCRIPT BY DEFAULT*. 

# Inspiration for the project

All the forums that don't use JS seem to be written in PHP, which is as a language laughably insecure, so I decided to make my own forum software striving to be more secure and modern than the PHP ones. I decided to go with ASP.NET, because it has good support for generating dynamic HTML content with Razor and, because it has a good inbuilt authentication and authorization system.

# Features and selling points

### Forum functions

- **Basic forum features like creating threads, comments etc...**

- **Altcha  POW catpcha integration (the only thing that uses JS in the whole project)**

- **Rate limits**

- **Admin only categories**

- **Can make threads visible to members only**

- **Customizable**

- **Markdown support**

### Security related

- **Built with security in mind, passed my own penetration tests**

- **WAF you can customize**

- **Access checks at every level reduces broken authorization vulnerabilities**

- **All JS blocked by server and enforced with a strict content security policy to prevent the effects of XSS and tracking** (unless captcha enabled)

- **Metadata, HTTP requests nor anyhting like that is logged**

- **Admin can wipe the forum of all data in case he suspects that an intruder is inside the server**





# Installation and usage

You can use dotnet on bare metal or use Docker. Docker is more recommended due to security reasons. It is also recommended to set up a reverse proxy like caddy if you are planning to run this as a clearnet site.

> [!NOTE]

> Look through the settings at Crowbar/Settings/appsettings.json before launching a production version.

### Docker

```bash

git clone https://github.com/Varppi/CrowbarForum

cd CrowbarForum/Crowbar

mkdir Crowbar/Database

docker build -t crowbar -f Crowbar/Dockerfile .

docker run --name crowbarforum_instance -v Crowbar/Database:/app/Database -v Crowbar/Settings:/app/Settings -p 8080:8080 crowbar

```

### Bare metal

```bash

git clone https://github.com/Varppi/CrowbarForum

cd CrowbarForum/Crowbar/Crowbar

dotnet tool install --global dotnet-ef 

export PATH=$PATH:~/.dotnet # Adding dotnet tool path to your $PATH variable (optional)

dotnet ef migrations remove 

dotnet ef migrations add ApplicationDbContextMigration

dotnet ef database update 

dotnet run

```





# Screenshots

**Remember, you can customize the CSS yourself easily if you want to change things up a little.**
















## Configuration

### Database

By default Crowbar Forum uses SQLite, but you can also use MSSQL or MySQL by changing the "database" field to `mysql/sqlite/mssql/postgre` and the "DefaultConnection" to match the format below:

#### Sqlite syntax

`Data Source=crowbarforum.db;`

#### MySQL, MSSQL and Postgresql syntax

`Server=myserver;Database=mydb;User=myuser;Password=mypassword;`

### WAF

Edit WafRegex.txt in the `Settings` directory.

### Encryption key

You can find the encryption key setting in the Settings/appsettings.json file. You can insert whatever password or random string you want, but if you put `RANDOMIZE_KEY` it will generate a random password at each startup. This also means that if you shut down the server, the database will be gone.





# Security 

### Security architecture

![design](https://github.com/user-attachments/assets/cd80125d-237d-4241-9e94-19998165f9ae)

With security being the main focus on this project, a lot of thought went into it. Here's a list of all the security mechanisms.

- WAF sends a custom sized 404 page with a custom status code which makes directory bruteforcing much more tedious.

- Every action needs to be accompanied by a valid user claim making sure that even if an unauthenticated or unauthorized user managed to bypass the higher level security measures, the user still wouldn't be able to make anything happen.

- At no point does the program make custom SQL statements. Everything goes through Ef Core ORM.

- All user inputs are validated.

- Almost everything is stored in an encrypted form. The key is specified in appsettings.json.

> [!CAUTION]

> No software is safe and things always get overlooked. If you have any tech expertise, I urge you to go through the code yourself and report vulnerabilities if you find any.

### Security vulnerabilities most probable

The most probable vulnerabilities to be found in this project are probably DOS and incorrect authorization vulnerabilities due to the structure of the project. Most data that a view uses doesn't go through a getter which could lead to potentially sensitive information being sent to an attacker. I've of course taken action and looked through the code and fixed all the vulnerabilities I could find, but there might still be some left.





# Roadmap

I'm just a single person making this, so it might take a while. Contributions are always welcome :)

### Priority 1

- [x] In rest encryption

- [x] Reply function

- [x] Likes

- [x] Easily customizable forum name

- [X] More customizable profile (description, pgp key etc)

- [x] Customizable WAF

- [ ] Clean up code

- [x] Support for hiding threads from non members

- [x] Setting to allow or disallow attachment downloads from non members

- [x] Admin only threads for announcements

- [x] Invite codes

### Priority 2

- [ ] Option to not have permanent encryption key, instead randomly generate one at startup

- [ ] Thread locking

- [ ] File storage

- [ ] Ranks

- [ ] Webhooks