Skip to content

Security

Pluma's security model in two pages.

Page Topic
Threat model What Pluma defends against, what it doesn't, what's user responsibility.
Reporting issues Private security-advisory flow + acknowledgement.

For policy + supported-version commitments, see SECURITY.md in the repo root.

TL;DR

  • Chat content is AES-256-GCM encrypted on disk; the key lives in the OS keyring.
  • API keys never touch the filesystem in plaintext; OS keyring under per-connection namespaces.
  • /api/* is gated behind WebAuthn passkeys when require_auth = true (the default). Loopback can be exempted; per-origin grace lets first-pair through.
  • Host allowlist with IP / CIDR / hostname patterns; trusted-proxy aware (rightmost-untrusted XFF semantics).
  • SSRF guard on every user-provided URL fetch (character imports, voice URL imports). Blocks private addresses and metadata IPs.
  • HSTS + secure cookies on HTTPS; CSP currently absent and tracked under smelt-sze.