VaultNote implements comprehensive security measures to protect user data in an offline-first environment. All security features operate client-side with no external dependencies.
- Algorithm: AES-256-GCM (Galois/Counter Mode)
- Key Derivation: PBKDF2 with SHA-256
- Iterations: 600,000 (OWASP recommended minimum)
- IV Generation: Cryptographically secure random (12 bytes)
- Salt: 16 bytes, unique per encryption
- Authenticated encryption (prevents tampering)
- Unique IV for each encryption operation
- Secure key derivation from user password
- Memory-safe key handling (keys not extractable)
- Minimum 8 characters
- Stored as SHA-256 hash (never plaintext)
- Password verification uses constant-time comparison
- Maximum 5 failed attempts
- 15-minute lockout after max attempts
- Automatic lockout expiration
- Configurable session timeout (default: 30 minutes)
- Auto-lock on inactivity
- Activity monitoring (mouse, keyboard, scroll)
- Manual lock capability
- Whitelist-based tag filtering
- Attribute validation
- Style sanitization
- Event handler removal
- URL validation for links
- Block content length limits
- Null byte removal
- Control character filtering
- Prototype pollution prevention
- Protocol whitelist (http, https, mailto)
- Dangerous protocol blocking (javascript:, data:, etc.)
- Path traversal prevention
- Relative URL sanitization
- All external network requests blocked
- Only local connections allowed (localhost, 127.0.0.1, LAN)
- WebSocket restrictions (local only)
- Beacon API blocked
- Fetch API interception
- XMLHttpRequest interception
- Strict CSP headers
- Script source restrictions
- Style source restrictions
- Image source restrictions
- No external resource loading
- Prototype pollution protection
- Secure JSON parsing
- Data integrity verification
- Version tracking for migrations
- Optional password-protected encryption
- All sensitive data encrypted at rest
- Separate encryption keys per vault
- Secure key derivation
- Sensitive data overwritten with random data
- Memory zeroing after use
- Key material cleared from memory
- No persistent key storage
- Keys marked as non-extractable
- No key material in logs
- Secure random generation for all IDs
- No sensitive data in error messages
- Encryption enable/disable
- Vault lock/unlock
- Failed unlock attempts
- Network blocking
- XSS attempts
- Input validation failures
- Storage access
- Password changes
- In-memory only (not persisted)
- Maximum 1000 events
- Automatic rotation
- Event details and timestamps
- Blocked action tracking
- Overwrite with random data before deletion
- Multiple localStorage keys cleared
- Secure key removal
- Complete vault deletion
- Identify all vault-related keys
- Overwrite with random data
- Remove from localStorage
- Clear in-memory state
- Reset security configuration
-
Use Strong Passwords
- Minimum 8 characters
- Mix of uppercase, lowercase, numbers, symbols
- Unique password for vault
-
Enable Auto-Lock
- Set appropriate session timeout
- Lock manually when stepping away
- Use auto-lock on inactivity
-
Regular Backups
- Export encrypted backups
- Store backups securely
- Test backup restoration
-
Keep App Updated
- Security improvements in updates
- Bug fixes and patches
- New security features
-
Input Validation
- Always validate user input
- Use inputValidation module
- Sanitize before storage
-
Encryption
- Use encryption module for sensitive data
- Never store passwords in plaintext
- Use secure random for IVs and salts
-
Network Security
- Never make external requests
- Use network isolation
- Block all external connections
-
Error Handling
- Don't expose sensitive data in errors
- Log security events appropriately
- Handle failures gracefully
- AES-256-GCM encryption
- PBKDF2 key derivation (600k iterations)
- Password protection with lockout
- Session timeout and auto-lock
- HTML/XSS sanitization
- URL validation
- Prototype pollution protection
- Network isolation
- Content Security Policy
- Secure random generation
- Memory protection
- Secure deletion
- Audit logging
- Input validation
- Rate limiting
-
XSS Attacks
- HTML sanitization
- Attribute filtering
- Event handler removal
-
Prototype Pollution
- JSON parsing protection
- Object key filtering
- Recursive sanitization
-
SQL Injection
- Pattern detection
- Query sanitization
- Local database only
-
Command Injection
- Character filtering
- Pattern detection
- Input validation
-
Brute Force
- Rate limiting
- Lockout mechanism
- Failed attempt tracking
-
Data Exfiltration
- Network isolation
- No external requests
- Local-only storage
-
Memory Attacks
- Secure wiping
- Non-extractable keys
- Key material protection
-
Browser Security
- Depends on browser security
- Subject to browser vulnerabilities
- localStorage limitations
-
Physical Access
- Cannot protect against physical access
- Device encryption recommended
- OS-level security important
-
Malware
- Cannot protect against keyloggers
- Screen capture possible
- Clipboard monitoring possible
Security is an ongoing process. Regular updates include:
- Security patches
- Algorithm improvements
- New threat mitigations
- Best practice updates
If you discover a security vulnerability:
- Do not create a public issue
- Contact the maintainers privately
- Provide detailed information
- Allow time for fix before disclosure
VaultNote security features support:
- Data privacy requirements
- Offline-first architecture
- Zero-trust principles
- Defense in depth
- Principle of least privilege