Skip to content

[Security] Encrypt API keys at rest and fix SSRF #238

Closed
#264
Closed
[Security] Encrypt API keys at rest and fix SSRF#238
#264
Labels
priority: highHigh prioritysecuritySecurity vulnerability
@d-oit

Description

@d-oit
d-oit
opened on May 31, 2026

Problem

  1. API keys stored in plaintext localStorage (any XSS can steal them)
  2. SSRF in URL resolution — no private IP blocking
  3. No URL scheme validation (file://, javascript: allowed)

Solution

API Key Encryption

  • Use Web Crypto API (AES-GCM) to encrypt keys at rest
  • Generate encryption key on first use
  • Migrate existing plaintext keys

SSRF Protection

  • Block localhost, 127.0.0.1, private IPs
  • Validate URL scheme (http/https only)
  • Add error messages for blocked URLs

Files

  • src/lib/llm/config.ts — encryption
  • src/lib/llm/encryption.ts (new)
  • src/lib/resolver.ts — URL validation

Acceptance Criteria

  • API keys encrypted in localStorage
  • Decryption works correctly
  • Private IPs blocked
  • Non-HTTP schemes blocked
  • Migration handles existing keys

Priority

High — Security vulnerability.

Plan

See plans/37-security-quality-hardening.md Tasks 37.1, 37.2

Metadata

Metadata

Assignees

No one assigned

    Labels

    priority: highHigh prioritysecuritySecurity vulnerability

    Projects

    No projects

    Milestone

    No milestone

    Relationships

    None yet

    Development

    No branches or pull requests

    Issue actions