If you discover a security vulnerability, please report it responsibly:
- Do not open a public GitHub issue
- Email pablo@explorinder.com or use GitHub's private vulnerability reporting
- Include steps to reproduce the issue
- Allow reasonable time for a fix before public disclosure
This project handles:
- User-generated prompts sent to the DeepSeek API
- IndexedDB data stored locally in the browser
- Optional PostgreSQL database with dictionary and text data
- API endpoints with rate limiting
- API key: The
DEEPSEEK_API_KEYis server-side only and must never be exposed to the client. The Vite dev server middleware and Express server both keep it on the backend. - User input: All user inputs sent to the LLM are length-limited and sanitized before forwarding to the API.
- Rate limiting: API endpoints are rate-limited to prevent abuse (20 req/min for AI endpoints, 120 req/min for DB endpoints).