SiteQuest HelpSecurity Model
How SiteQuest keeps your data and browsing private and secure.
SiteQuest is built on Electron with a security-first architecture. Here's exactly what protects your data.
Encrypted Local Storage
All app data — settings, preferences, history, and auth tokens — is saved to an AES-256-GCM encrypted vault on your device. The encryption key is derived using PBKDF2 with 100,000 iterations and SHA-512, seeded by a machine-specific identifier.
This means:
- Your data at rest is encrypted, even if someone accesses your filesystem
- The key never leaves your device
- No plain-text data files are left on disk
Session Isolation
Every site you browse in SiteQuest runs in its own isolated Electron session partition (persist:sitequest). Incognito mode uses a fully ephemeral (in-memory) partition that leaves no trace on disk when closed.
| Mode | Cookies | Cache | History |
|---|---|---|---|
| Normal | Persisted in isolated session | Persisted | Saved |
| Incognito | In-memory only, wiped on close | In-memory only | Not saved |
Third-party cookies are blocked by default. Sites cannot track you across domains without your consent.
Auth Security
SiteQuest uses Auth0 for authentication, supporting:
- Google Sign-In
- Microsoft / Azure AD
- Apple Sign-In
- GitHub OAuth
Auth tokens are stored only in the encrypted vault — never in plain localStorage or cookies accessible to web pages. An HMAC-SHA256 signature is computed over your user record and verified on every feature access to detect tampering.
An offline grace period of 3 days is enforced — if SiteQuest can't validate your session after 3 days offline, it automatically reverts to the free tier to prevent credential replay attacks.
CORS and Network Security
The AI assistant sends requests through the main Electron process (not the webview renderer), bypassing CORS entirely without exposing your API key to web pages. AI requests are strictly whitelisted to:
openrouter.aigenerativelanguage.googleapis.comlocalhost/127.0.0.1(for local AI models like Ollama)
Any AI request to a non-whitelisted destination is blocked server-side before it leaves the app.
WebRTC Privacy
SiteQuest disables WebRTC's ability to expose your local IP address. Sites cannot use WebRTC to discover your real IP even if you're behind a VPN.
Tracker and Ad Blocking
SiteQuest uses the Ghostery adblocker engine with regularly updated filter lists. When enabled, tracker and ad network requests are blocked before they leave your device — no data is ever sent to those domains.
You can see which trackers were blocked on the current page via the shield icon in the toolbar.
Integrity Verification
SiteQuest verifies its own file integrity at startup using cryptographic hashes. If any core files have been modified after installation, the app detects the change and may restrict features to protect your data.
What SiteQuest Does NOT Do
- No keylogging — SiteQuest does not capture keyboard input outside the app window
- No screenshot harvesting — screen capture is only triggered by explicit user action
- No selling data — analytics are aggregate and anonymized; individual browsing data never leaves your device
- No persistent cloud storage of browsing history — history is stored locally in the encrypted vault
For a full breakdown of our data practices, see our Privacy Policy.
Related Articles
SiteQuest Help
Documentation for SiteQuest
Cloud Sync
Keep your sidebar, settings, and progress in sync across devices.
Account & Subscriptions
Manage your account, sign in, and choose the right plan.
Referral Program
Share SiteQuest with your friends and earn premium rewards.
Sign Up & Log In
Create your SiteQuest account or sign in to an existing one.
Plans & Tiers
What you get with each SiteQuest plan.