Skip to content

Security: gkrajpa1/vaultnote

Security

SECURITY.md

VaultNote Security Documentation

Overview

VaultNote implements comprehensive security measures to protect user data in an offline-first environment. All security features operate client-side with no external dependencies.

Security Architecture

1. Data Encryption

At-Rest Encryption

  • Algorithm: AES-256-GCM (Galois/Counter Mode)
  • Key Derivation: PBKDF2 with SHA-256
  • Iterations: 600,000 (OWASP recommended minimum)
  • IV Generation: Cryptographically secure random (12 bytes)
  • Salt: 16 bytes, unique per encryption

Encryption Features

  • Authenticated encryption (prevents tampering)
  • Unique IV for each encryption operation
  • Secure key derivation from user password
  • Memory-safe key handling (keys not extractable)

2. Vault Password Protection

Password Requirements

  • Minimum 8 characters
  • Stored as SHA-256 hash (never plaintext)
  • Password verification uses constant-time comparison

Lockout Protection

  • Maximum 5 failed attempts
  • 15-minute lockout after max attempts
  • Automatic lockout expiration

Session Management

  • Configurable session timeout (default: 30 minutes)
  • Auto-lock on inactivity
  • Activity monitoring (mouse, keyboard, scroll)
  • Manual lock capability

3. Input Validation & XSS Protection

HTML Sanitization

  • Whitelist-based tag filtering
  • Attribute validation
  • Style sanitization
  • Event handler removal
  • URL validation for links

Content Validation

  • Block content length limits
  • Null byte removal
  • Control character filtering
  • Prototype pollution prevention

URL Validation

  • Protocol whitelist (http, https, mailto)
  • Dangerous protocol blocking (javascript:, data:, etc.)
  • Path traversal prevention
  • Relative URL sanitization

4. Network Security

Network Isolation

  • All external network requests blocked
  • Only local connections allowed (localhost, 127.0.0.1, LAN)
  • WebSocket restrictions (local only)
  • Beacon API blocked
  • Fetch API interception
  • XMLHttpRequest interception

Content Security Policy (CSP)

  • Strict CSP headers
  • Script source restrictions
  • Style source restrictions
  • Image source restrictions
  • No external resource loading

5. Secure Storage

localStorage Security

  • Prototype pollution protection
  • Secure JSON parsing
  • Data integrity verification
  • Version tracking for migrations

Encrypted Storage

  • Optional password-protected encryption
  • All sensitive data encrypted at rest
  • Separate encryption keys per vault
  • Secure key derivation

6. Memory Security

Secure Wiping

  • Sensitive data overwritten with random data
  • Memory zeroing after use
  • Key material cleared from memory
  • No persistent key storage

Memory Protection

  • Keys marked as non-extractable
  • No key material in logs
  • Secure random generation for all IDs
  • No sensitive data in error messages

7. Audit Logging

Security Events Tracked

  • Encryption enable/disable
  • Vault lock/unlock
  • Failed unlock attempts
  • Network blocking
  • XSS attempts
  • Input validation failures
  • Storage access
  • Password changes

Log Features

  • In-memory only (not persisted)
  • Maximum 1000 events
  • Automatic rotation
  • Event details and timestamps
  • Blocked action tracking

8. Secure Deletion

Data Wiping

  • Overwrite with random data before deletion
  • Multiple localStorage keys cleared
  • Secure key removal
  • Complete vault deletion

Deletion Process

  1. Identify all vault-related keys
  2. Overwrite with random data
  3. Remove from localStorage
  4. Clear in-memory state
  5. Reset security configuration

Security Best Practices

For Users

  1. Use Strong Passwords

    • Minimum 8 characters
    • Mix of uppercase, lowercase, numbers, symbols
    • Unique password for vault
  2. Enable Auto-Lock

    • Set appropriate session timeout
    • Lock manually when stepping away
    • Use auto-lock on inactivity
  3. Regular Backups

    • Export encrypted backups
    • Store backups securely
    • Test backup restoration
  4. Keep App Updated

    • Security improvements in updates
    • Bug fixes and patches
    • New security features

For Developers

  1. Input Validation

    • Always validate user input
    • Use inputValidation module
    • Sanitize before storage
  2. Encryption

    • Use encryption module for sensitive data
    • Never store passwords in plaintext
    • Use secure random for IVs and salts
  3. Network Security

    • Never make external requests
    • Use network isolation
    • Block all external connections
  4. Error Handling

    • Don't expose sensitive data in errors
    • Log security events appropriately
    • Handle failures gracefully

Security Checklist

  • AES-256-GCM encryption
  • PBKDF2 key derivation (600k iterations)
  • Password protection with lockout
  • Session timeout and auto-lock
  • HTML/XSS sanitization
  • URL validation
  • Prototype pollution protection
  • Network isolation
  • Content Security Policy
  • Secure random generation
  • Memory protection
  • Secure deletion
  • Audit logging
  • Input validation
  • Rate limiting

Threat Model

Protected Against

  1. XSS Attacks

    • HTML sanitization
    • Attribute filtering
    • Event handler removal
  2. Prototype Pollution

    • JSON parsing protection
    • Object key filtering
    • Recursive sanitization
  3. SQL Injection

    • Pattern detection
    • Query sanitization
    • Local database only
  4. Command Injection

    • Character filtering
    • Pattern detection
    • Input validation
  5. Brute Force

    • Rate limiting
    • Lockout mechanism
    • Failed attempt tracking
  6. Data Exfiltration

    • Network isolation
    • No external requests
    • Local-only storage
  7. Memory Attacks

    • Secure wiping
    • Non-extractable keys
    • Key material protection

Limitations

  1. Browser Security

    • Depends on browser security
    • Subject to browser vulnerabilities
    • localStorage limitations
  2. Physical Access

    • Cannot protect against physical access
    • Device encryption recommended
    • OS-level security important
  3. Malware

    • Cannot protect against keyloggers
    • Screen capture possible
    • Clipboard monitoring possible

Security Updates

Security is an ongoing process. Regular updates include:

  • Security patches
  • Algorithm improvements
  • New threat mitigations
  • Best practice updates

Reporting Security Issues

If you discover a security vulnerability:

  1. Do not create a public issue
  2. Contact the maintainers privately
  3. Provide detailed information
  4. Allow time for fix before disclosure

Compliance

VaultNote security features support:

  • Data privacy requirements
  • Offline-first architecture
  • Zero-trust principles
  • Defense in depth
  • Principle of least privilege

There aren't any published security advisories