| Version | Supported |
|---|---|
| 1.0.x | ✅ |
| < 1.0 | ❌ |
If you discover a security vulnerability within this project, please send an email to the project maintainer via LinkedIn or open a GitHub Issue with the label "security".
Please do not report security vulnerabilities through public GitHub issues.
When reporting a vulnerability, please include:
- Description: Clear description of the vulnerability
- Steps to reproduce: Exact steps to reproduce the issue
- Impact: Potential impact of the vulnerability
- Suggested fix: If you have a suggestion for how to fix the issue
- Acknowledgment: We will acknowledge receipt of your report within 48 hours
- Assessment: We will assess the vulnerability and determine its severity within 5 business days
- Fix: We will work on a fix and release it as soon as possible
- Disclosure: We will coordinate with you on the disclosure timeline
- Backend Only: All API keys (Groq, Google AI, LangSmith) are stored only on the backend server
- Never Exposed: API keys are never exposed to the Chrome extension
- Environment Variables: Keys are stored in
.envfiles, which are gitignored - No Hardcoding: API keys are never hardcoded in source files
- No Database: The project uses no database
- No Data Storage: No posts, comments, or user data are stored anywhere
- Real-time Only: Everything runs in real time without persistence
- Chrome Storage: The extension only uses
chrome.storage.localfor temporary comment caching
- Minimal Permissions: The extension only requests three permissions:
activeTab: Access to the current tab when the user interacts with the extensionstorage: Local storage for temporary comment cachingclipboardWrite: Copy comments to clipboard
- No Host Permissions: The extension does not request broad host permissions
- Content Script Isolation: Content scripts run in an isolated world
- CORS Configuration: Backend accepts requests from configured origins
- Input Validation: All inputs are validated using Pydantic schemas
- No Authentication: The project uses no authentication (by design)
- Rate Limiting: Not currently configured (see Known Limitations)
- HTTPS: All external API calls use HTTPS
- Message Passing: Content script communicates with background service worker via Chrome's secure message passing
- Local Only: Backend runs locally by default
-
CORS Configuration:
- Current: CORS is configured with
allow_origins=["*"](allows all origins) - Recommended: For production, restrict to specific origins
- Impact: Low for local development, medium for production deployments
- Current: CORS is configured with
-
No Rate Limiting:
- Current: No rate limiting is configured on the backend
- Recommended: Add rate limiting for production use
- Impact: Low for local use, medium for public deployments
-
No HTTPS for Local Backend:
- Current: Local backend runs on HTTP
- Recommended: For production, use HTTPS
- Impact: Low for local development
- Restrict CORS origins for production
- Add rate limiting to API endpoints
- Add HTTPS support for production deployment
- Add API key authentication for backend access
When contributing to this project, please follow these security practices:
- Never commit API keys: Ensure
.envfiles are in.gitignore - Validate inputs: Always validate user inputs using Pydantic schemas
- Use parameterized queries: If database access is added in the future
- Sanitize outputs: Prevent XSS when displaying user-generated content
- Follow least privilege: Request minimal permissions
- Keep dependencies updated: Regularly update Python and JavaScript dependencies
For security-related questions or concerns, please contact:
- LinkedIn: Himanshu
- GitHub Issues: Open an issue (for non-sensitive matters)