Skip to content

Security

coder11125 edited this page May 1, 2026 · 1 revision

Security

API Key Storage

Your provider API keys (Google, OpenAI, Anthropic, etc.) are sensitive. Quasar AI protects them as follows:

  • Keys are encrypted with AES-256-GCM before being sent to the server
  • The encrypted format is hex(iv):hex(authTag):hex(ciphertext) — without the ENCRYPTION_KEY server secret, the ciphertext cannot be decrypted
  • Keys are never logged or stored in plain text anywhere on the server
  • On the client, keys are cached in localStorage for the session

Authentication

  • Passwords are hashed with bcrypt before storage — the plain password is never stored
  • Sessions use JWT tokens with a 7-day expiry, signed with a secret that never leaves the server
  • Login and registration endpoints are rate-limited to 10 attempts per IP per 15 minutes to prevent brute force attacks
  • Login timing is normalised to prevent user enumeration via response time differences

Data Sync

  • Chat histories and folders are synced to MongoDB under your user account
  • All sync API endpoints require a valid Bearer token — unauthenticated requests are rejected with 401
  • Expired tokens trigger a clean logout rather than a silent failure

XSS Prevention

  • All user-controlled content (message text, chat titles, folder names) is run through escapeHtml() before being injected into the DOM
  • The artifact panel preview iframe uses srcdoc with sandbox restrictions — previewed HTML cannot access your session or make credentialed requests

What Quasar Does Not Do

  • Does not read or log the content of your conversations
  • Does not sell or share your data
  • Does not store your API keys in plain text
  • Does not make API calls on your behalf without your action

Self-Hosted Instances

If you self-host Quasar AI, you control the server, the database, and the encryption key. Your data never touches the hosted instance at quasar-ai-two.vercel.app.

Clone this wiki locally