Skip to content
HomeWebAppSetDocsAbout
🌐 Auto English 简体中文 繁體中文 Español Français Русский العربية Português Deutsch 日本語 한국어 हिन्दी

Security

Moraya is designed with security as a priority. This page describes the key security measures built into the application.

API Key Storage (OS Keychain)

API keys are encrypted and stored in the operating system’s native credential manager:

PlatformStorage
macOSKeychain Access
WindowsCredential Manager
Linuxlibsecret / Secret Service

Keys are never stored in plain text files or exposed in the frontend JavaScript.

Rust AI Proxy

All LLM API calls are routed through the Rust backend:

  1. The frontend sends a request to Rust via Tauri IPC
  2. Rust retrieves the API key from the OS Keychain
  3. Rust adds authentication headers and forwards the request to the provider
  4. The response is streamed back to the frontend

This prevents API keys from appearing in browser devtools, network inspection, or WebView memory.

Content Security Policy (CSP)

Tauri’s CSP configuration restricts what the WebView can load and execute:

This prevents cross-site scripting (XSS) and unauthorized external connections.

MCP Security

MCP server processes are protected by multiple layers:

Path Traversal Protection

File operations validate all paths to prevent directory traversal attacks:

HTML Sanitization

User-generated and imported HTML content is sanitized before rendering: