🔒 Security Overview

Security you can
verify, not trust.

Kurae was designed security-first. Your notes, keys, and data are protected by architecture — not just policy.

Security pillars
🔐

API Keys Server-Side Only

All AI provider credentials are environment variables on Vercel. They never reach the browser. Every AI call is proxied through our server with zero client-side key exposure.

🛡️

Clerk Authentication on Every Route

Every API route calls auth() from Clerk server SDK before touching any data. Unauthenticated requests receive 401 — no data is returned, no error detail is leaked.

🔒

TLS 1.3 in Transit

All traffic between your browser, our servers, Neon, and AI providers is encrypted using TLS 1.3. No plaintext connections are permitted.

🗄️

Per-User Data Isolation

Every database query includes WHERE user_id = ? scoped to the authenticated Clerk user ID. No user can access, infer, or corrupt another user's data.

🧱

Content Security Policy

A strict CSP whitelist blocks untrusted scripts, styles, frames, and connections. Browser extensions and injected scripts cannot exfiltrate data from the app context.

🚫

Input Validation & Rate Limiting

All API inputs are validated server-side (field types, lengths, enums). AI endpoints cap payload size to prevent prompt injection via oversized inputs. Public endpoints enforce IP-based rate limits.

🔢

AES-256 Encryption at Rest

Neon PostgreSQL encrypts all data at rest using AES-256. Backups are also encrypted. Database credentials are stored as Vercel environment variables, never in source code.

🌐

Dependency Transparency

We rely on widely-audited, open-source dependencies: Clerk, Neon, Next.js 15, Vercel AI SDK, Drizzle ORM. No hand-rolled cryptography. Automated Dependabot alerts for CVEs.

HTTP security headers

Every response is hardened.

Applied automatically by our Next.js server on all responses.

Strict-Transport-Securitymax-age=63072000; includeSubDomainsHSTS — forces HTTPS for 2 years including all subdomains. Browsers will not load Kurae over HTTP.
X-Frame-OptionsSAMEORIGINPrevents clickjacking by blocking the app from being embedded in an iframe on another domain.
X-Content-Type-OptionsnosniffPrevents MIME-type sniffing attacks — browsers will not execute scripts with wrong content-type.
Referrer-Policystrict-origin-when-cross-originLimits referrer information shared with third parties to origin only on cross-origin requests.
Permissions-Policycamera=(), microphone=(), geolocation=()Explicitly disables access to camera, microphone, and geolocation APIs.
Content-Security-Policydefault-src 'self'; ...Strict allowlist of permitted sources for scripts, styles, fonts, media, and connections.
Responsible Disclosure Policy

Found a vulnerability? Tell us first.

We follow responsible disclosure principles. If you discover a security vulnerability, please report it privately before public disclosure. We commit to the following response timeline:

1
Report received
Within 24 hours
2
Triage & assess
Within 48 hours
3
Patch critical
Within 72 hours
4
Patch high/medium
Within 14 days
5
Patch low severity
Within 30 days
6
CVE filed if needed
After patch
In scope
Authentication bypasses
Authorisation flaws (IDOR, privilege escalation)
SQL injection / data exfiltration
Cross-site scripting (XSS)
Cross-site request forgery (CSRF)
Server-side request forgery (SSRF)
Sensitive data exposure
Remote code execution
Out of scope
Social engineering of Kurae staff
Physical security attacks
Denial of service (DoS/DDoS)
Spam or phishing not involving Kurae infrastructure
Vulnerabilities in third-party services (Clerk, Vercel, Neon) — report to them directly
Issues already publicly disclosed or patched
Rate limiting without proof of impact
🐛

Safe harbour

We will not pursue legal action against researchers who follow this policy. We ask that you: not access or modify user data beyond your own test account; not disrupt the Service; and allow us the response timeline above before public disclosure.

Report a vulnerability →
security@kurae.app · We respond within 24 hours