13 - Security and Privacy
Local-First Data Handling
API Freeman stores request artifacts locally in your selected library folder. There is no built-in cloud workspace synchronization layer in current implementation.
Stored local artifacts include:
- Request YAML documents
- Optional body sidecar files
- Folder variable files
- Local app settings (library root path)
Process Isolation
Electron BrowserWindow security settings include:
contextIsolation: truenodeIntegration: false
Meaning:
- Renderer cannot directly access Node APIs
- Privileged operations are routed through preload IPC bridge
Controlled IPC Surface
Preload exposes a narrow desktopApi interface.
Renderer only invokes explicit methods provided by preload.
Network Privacy Boundaries
Request execution occurs in Electron main process using Node fetch. This removes renderer CORS friction, but also means:
- Outgoing requests are fully controlled by user-entered targets
- Sensitive request data can leave machine when user sends to external endpoints
Data You Should Treat as Sensitive
Potentially sensitive local data:
- Authorization headers
- Tokens in URL or headers
- Body payloads containing PII
- Folder variable values
Recommended practice:
- Keep library folder in a secure local path
- Use OS account protections
- Avoid committing sensitive artifacts to public repositories
Script Security Status
Script execution support exists but is currently disabled by flag. If enabled in future, scripts run in VM sandbox with timeout, but should still be treated as executable code risk.
Import Safety Considerations
Imported specs and collections can contain large/generated payloads and script content. Always review imported requests before using in production or with sensitive systems.
Practical Privacy Summary
API Freeman currently aligns with local-first operation:
- No required cloud account
- No built-in remote telemetry pipeline in application logic shown here
- Data remains local unless user intentionally sends requests/import URL fetches