Security
Minimum permissions. Local-first. Designed to keep your data on your device.
Permissions we request
- Storage: Save your settings and whitelist locally
- Notifications: Show release notes after updates
- Host access: Detect text in input fields across websites
Sites we never run on
By default, Veilora is disabled on sensitive authentication and banking pages:
- Chase, Bank of America
- Google account login pages
- Microsoft login pages
How detection works
- All scanning runs in an isolated content script in your browser
- No external API calls during detection
- No third-party libraries that send data
- Strict Content Security Policy on extension pages
Found a security issue?
We take security seriously. If you discover a vulnerability, please email us at security@veilora.app and we will respond within 48 hours.