Security#
Credential Storage#
Dropbox App Key#
- Store in
cairn.json(config directory), not in environment variables - Environment variables are visible in process listings (
ps aux), logs, and CI/CD output - The app key is a shared secret for the entire Cairn application; keep it secure
{
"dropbox_app_key": "your-app-key"
}Ensure restrictive permissions:
chmod 600 ~/.config/cairn/cairn.jsonOAuth2 Tokens (sync.json)#
- Stored in plaintext in the OS config directory
- Created with
0600permissions (owner-only) automatically - If
sync.jsonis compromised, an attacker can read and write your Dropbox bookmarks
| OS | Path |
|---|---|
| Linux | ~/.config/cairn/sync.json |
| macOS | ~/Library/Application Support/cairn/sync.json |
| Windows | %APPDATA%\cairn\sync.json |
Run cairn sync unlink to revoke access before selling or donating your machine.
Bookmark Database#
- Bookmarks are stored in plaintext SQLite (
bookmarks.db) - No encryption at rest
- Mitigation: use full-disk encryption (LUKS, FileVault, BitLocker)
Best Practices#
- Enable disk encryption — LUKS (Linux), BitLocker (Windows), or FileVault (macOS)
- Restrict config file permissions —
chmod 600 ~/.config/cairn/cairn.json - Never commit config files — add
cairn.jsonandsync.jsonto.gitignore - Prefer config file over env vars for the Dropbox app key in long-running sessions
- Unlink before losing access —
cairn sync unlinkbefore selling or wiping your machine - Monitor Dropbox activity — check your Dropbox account for unexpected access
- Keep Cairn updated — run the installer again to get the latest release
Reporting Vulnerabilities#
If you discover a security vulnerability, please report it responsibly by opening a GitHub Security Advisory instead of a public issue. Include:
- Description — what is the vulnerability?
- Impact — what could an attacker do?
- Steps to reproduce — how can it be triggered?
- Affected versions — which versions are vulnerable?
We will acknowledge reports within 48 hours and work to release a patch promptly.
Known Limitations#
| Limitation | Mitigation |
|---|---|
| OAuth2 tokens stored in plaintext | Use disk encryption; restrict file permissions |
| No keychain/credential manager integration | Planned for a future release |
| Bookmarks stored in plaintext SQLite | Use full-disk encryption |
| Sync snapshots stored in plaintext Dropbox JSON | Use Dropbox with client-side encryption |
Contributor Security Checklist#
When submitting a pull request, please verify:
- No hardcoded credentials or secrets
- Proper file permissions for sensitive files (
0600for tokens,0700for config dirs) - Input validation at system boundaries (user input, URLs)
- Use of
crypto/*stdlib for cryptographic operations - No deprecated or insecure libraries
- Tests for security-sensitive code paths