This document outlines the security measures implemented in the Perplexity Clone application.

• All API keys (Exa and Mistral) are stored in environment variables
• API keys are only accessed in server-side code (lib/exa-client.ts, lib/mistral-client.ts)
• API routes run on the server, never exposing credentials to the client
• Next.js automatically excludes server-side environment variables from the client bundle

• .env.local and .env files are in .gitignore to prevent accidental commits
• .env.local.example provides a template without actual credentials
• Environment variables are validated at build time in next.config.ts

To verify API keys are not in the client bundle:

1. Build the application: npm run build
2. Check .next/static/ - no environment variables should appear
3. Inspect browser Network tab - no API keys in responses

• lib/input-sanitizer.ts provides sanitization utilities
• All user input is sanitized before processing
• HTML tags and script patterns are removed
• Dangerous patterns (javascript:, on*= handlers) are filtered

• sanitizeInput(): Removes dangerous characters and patterns
• isInputSafe(): Validates input doesn't contain XSS patterns
• escapeHtml(): Escapes HTML special characters for display

import { sanitizeInput, isInputSafe } from '@/lib/input-sanitizer';

// Validate input
if (!isInputSafe(userInput)) {
  throw new Error('Invalid input');
}

// Sanitize before processing
const clean = sanitizeInput(userInput);

CORS headers are configured in next.config.ts:

• Access-Control-Allow-Origin: Configurable via ALLOWED_ORIGIN env var
• Access-Control-Allow-Methods: POST, OPTIONS only
• Access-Control-Allow-Headers: Content-Type, Authorization
• Preflight requests handled via OPTIONS endpoint

Set ALLOWED_ORIGIN environment variable to your production domain:

ALLOWED_ORIGIN=https://yourdomain.com

For development, it defaults to * (all origins).

The following security headers are configured in next.config.ts:

• X-Content-Type-Options: nosniff - Prevents MIME type sniffing
• X-Frame-Options: SAMEORIGIN - Prevents clickjacking
• X-XSS-Protection: 1; mode=block - Enables browser XSS protection

• Strict-Transport-Security - Forces HTTPS connections
• Referrer-Policy: origin-when-cross-origin - Controls referrer information

• Permissions-Policy - Restricts access to camera, microphone, geolocation

• Query validation prevents empty/invalid submissions
• JSON parsing errors are caught and handled gracefully
• Type checking ensures data integrity

• Technical error details are never exposed to users
• Stack traces are logged server-side only
• User-friendly error messages prevent information leakage

• API errors (429) are handled gracefully
• Users are informed to wait before retrying
• Consider adding rate limiting middleware for production

• API keys stored in environment variables only
• Environment files in .gitignore
• Input sanitization implemented
• XSS prevention measures in place
• CORS configured properly
• Security headers configured
• No credentials in client bundle
• Error messages don't leak sensitive info
• HTTPS enforced in production (via headers)

1. Set ALLOWED_ORIGIN: Configure specific domain instead of wildcard
2. Enable Rate Limiting: Add rate limiting middleware to API routes
3. Use HTTPS: Ensure SSL/TLS certificates are properly configured
4. Monitor Logs: Set up logging and monitoring for security events
5. Regular Updates: Keep dependencies updated for security patches
6. API Key Rotation: Regularly rotate API keys
7. Content Security Policy: Consider adding CSP headers for additional protection

If you discover a security vulnerability, please email security@yourdomain.com instead of using the issue tracker.