Agentex Resume Editor prioritizes user security and data privacy. This document outlines our security measures, policies, and procedures.
- No External Data Storage: User files and content are processed locally
- Temporary File Handling: Files are temporarily stored with UUID naming and cleaned up after processing
- API Communication: Only AI prompts and responses are sent to external AI services
- Local Storage: API keys are stored locally using Chrome Storage API
- No Code Storage: API keys are never hardcoded in the application
- User Control: Users manage their own API keys
// Allowed origins
const allowedOrigins = [
'chrome-extension://jdinfdcbfmnnoanojkbokdhjpjognpmk',
'https://agentex.vercel.app',
'http://localhost:3000'
];- Localhost Only: Server runs on localhost (127.0.0.1) only
- No External Access: Server is not accessible from external networks
- Port Isolation: Uses dedicated port (3000) for API communication
// Supported file types
const ALLOWED_TYPES = ['application/vnd.openxmlformats-officedocument.wordprocessingml.document', 'text/plain'];
// File size limits
const MAX_FILE_SIZE = 10 * 1024 * 1024; // 10MB- UUID Naming: Files use UUID-based naming to prevent conflicts
- Automatic Cleanup: Files are automatically deleted after processing
- Secure Directories: Files stored in
/tmpwith appropriate permissions
// File cleanup example
const extensions = ['.tex', '.log', '.aux', '.out'];
for (const ext of extensions) {
await fs.unlink(path.join(TMP_DIR, `${fileId}${ext}`)).catch(() => {});
}{
"permissions": [
"activeTab",
"scripting",
"sidePanel",
"storage",
"contextMenus",
"unlimitedStorage"
]
}{
"host_permissions": [
"http://localhost:3000/*",
"https://agentex.vercel.app/*"
]
}- Request Queuing: Only one compilation request per client at a time
- Timeout Protection: 120-second timeout for long-running operations
- Memory Limits: 10MB limit for JSON payloads
// Validate LaTeX input
if (!latex || typeof latex !== 'string') {
return res.status(400).json({
success: false,
error: 'Invalid LaTeX content'
});
}- Email: Send security reports to [security email - to be added]
- Include:
- Detailed description of the vulnerability
- Steps to reproduce
- Potential impact assessment
- Suggested fixes (if any)
- Acknowledgment: Within 48 hours
- Initial Assessment: Within 1 week
- Fix Timeline: Varies based on severity
- Remote code execution
- Unauthorized file access
- API key exposure
- Local privilege escalation
- Data corruption
- Service denial
- Information disclosure
- Input validation bypass
- Minor security misconfigurations
- Security best practice violations
- Minor information leaks
- Generate Dedicated Keys: Use separate API keys for Agentex
- Regular Rotation: Rotate API keys periodically
- Monitor Usage: Check API usage for unusual activity
- Secure Storage: Don't share or expose API keys
- Trusted Content: Only upload your own resume files
- Job Descriptions: Verify job descriptions from legitimate sources
- Review Output: Always review AI-generated content before use
- Local Network: Use on trusted networks only
// Always validate inputs
function validateInput(input) {
if (!input || typeof input !== 'string' || input.length > MAX_LENGTH) {
throw new Error('Invalid input');
}
return input.trim();
}
// Handle errors securely
try {
const result = await processFile(file);
} catch (error) {
console.error('[Security] Processing error:', error.message); // Don't log sensitive data
throw new Error('Processing failed'); // Generic error message
}// Secure file operations
async function secureFileWrite(content, filePath) {
// Validate file path
if (!filePath.startsWith(TMP_DIR)) {
throw new Error('Invalid file path');
}
// Write with proper permissions
await fs.writeFile(filePath, content, { mode: 0o600 });
}- File processing events
- API request/response metadata (not content)
- Error conditions
- Server startup/shutdown events
- File contents
- API keys
- Personal information
- User inputs
// Example secure logging
console.log('[Server] File processed:', {
fileId: fileId,
type: file.mimetype,
size: file.size,
timestamp: Date.now()
// Note: file content is NOT logged
});// Good: Generic error message
res.status(500).json({
success: false,
error: 'Processing failed'
});
// Bad: Exposing system details
res.status(500).json({
success: false,
error: error.stack // Contains system information
});- Security Patches: Immediate deployment for critical issues
- Version Updates: Regular updates for dependencies
- Security Reviews: Periodic security audits
- Critical: Immediate notification to users
- High: Notification with next update
- Medium/Low: Included in release notes
{
"content_security_policy": {
"extension_pages": "script-src 'self' 'wasm-unsafe-eval'; object-src 'self'"
}
}- AI APIs: All external API calls use HTTPS
- Local Development: HTTP allowed for localhost only
- Production: HTTPS enforced for all external resources
- No Personal Data Storage: Extension doesn't store personal data externally
- User Control: Users control all data processing
- Right to Deletion: Users can clear all local data
- Minimal Data Collection: Only necessary data is processed
- Purpose Limitation: Data used only for resume optimization
- Transparency: Clear information about data usage
- Dependency vulnerability scanning
- Code quality analysis
- Permission auditing
- Penetration testing for server endpoints
- File upload security testing
- API integration security review
- Input validation implemented
- Output sanitization in place
- Error messages don't expose sensitive information
- Files are properly cleaned up
- API keys are stored securely
- CORS policies are restrictive
- Dependencies are up to date
- Permissions are minimal
- Detection: Identify security incident
- Assessment: Evaluate impact and scope
- Containment: Limit damage and exposure
- Eradication: Remove vulnerability
- Recovery: Restore normal operations
- Lessons Learned: Document and improve
- Users: Notify affected users promptly
- Stakeholders: Update relevant parties
- Documentation: Update security measures
- Helmet.js: Security headers for Express
- Rate Limiting: Express rate limit middleware
- Input Validation: Joi or similar validation libraries
For security-related questions or concerns:
- Create an issue with the
securitylabel - Follow responsible disclosure practices
- Provide detailed information for faster resolution
Remember: Security is a shared responsibility. Users, developers, and maintainers all play a role in keeping Agentex secure.