Docs/Security

Security Overview#

QueryMind is designed with security as a first-class priority. Your database credentials and sensitive data are protected using industry-standard encryption and platform-native security features.

Zero-Knowledge Architecture#

Your credentials never leave your machine. QueryMind uses a zero-knowledge architecture where all sensitive data is encrypted and stored locally on your device. Our cloud services never receive or store your database passwords.

Credential Storage#

Platform-Native Encryption#

QueryMind uses Electron's safeStorage API, which leverages your operating system's native secure storage:

PlatformStorage Mechanism
macOSKeychain Services
WindowsData Protection API (DPAPI)
LinuxSecret Service API / libsecret

This means your credentials are protected by the same security mechanisms that protect your system passwords and other sensitive data.

How It Works#

  1. When you save a database connection, the password is encrypted using your OS's native encryption
  2. The encrypted data is stored locally in a secure credential store
  3. Only your user account on your machine can decrypt the credentials
  4. Credentials are never transmitted to our servers

Data Encryption#

At Rest#

All sensitive data stored locally is encrypted:

  • Database passwords - Encrypted via platform-native safeStorage API
  • SSH key passphrases - Encrypted using the same mechanism
  • OAuth refresh tokens - Encrypted and stored in the credential store
  • API keys (BYOK) - Encrypted locally, never sent to our servers

In Transit#

All network communications use secure protocols:

  • HTTPS/TLS 1.3 - All API communications are encrypted
  • WSS - WebSocket connections for AI features use secure WebSockets
  • SSH Tunneling - Database connections can be tunneled through SSH

Authentication#

OAuth 2.0#

QueryMind supports secure authentication via:

  • Google OAuth - Sign in with your Google account
  • GitHub OAuth - Sign in with your GitHub account

Access tokens are stored in memory only and are never persisted to disk. Refresh tokens are encrypted using the platform's secure storage.

Guest Mode#

You can try QueryMind without creating an account. In guest mode:

  • All data stays on your local machine
  • No account creation required
  • Limited to local database connections

Query Safety#

Confirmation Levels#

QueryMind implements a tiered confirmation system to prevent accidental data loss:

Query TypeConfirmation RequiredExamples
SELECTNoneRead-only queries
DML (Data Modification)Single confirmationINSERT, UPDATE, DELETE
DDL (Schema Changes)Double confirmationDROP, TRUNCATE, ALTER

SQL Injection Prevention#

  • All user inputs are validated before use
  • SQL identifiers (table names, column names) are validated against strict patterns
  • Parameterized queries are used where applicable

Dangerous Query Detection#

QueryMind warns you before executing potentially dangerous queries:

  • DROP DATABASE / DROP SCHEMA
  • DROP TABLE without IF EXISTS
  • TRUNCATE TABLE
  • DELETE without WHERE clause
  • UPDATE without WHERE clause

Connection Security#

Rate Limiting#

To protect against brute-force attacks:

  • Maximum 10 connection attempts per host per minute
  • 5-minute cooldown after exceeding the limit
  • Rate limit is cleared after successful connection

SSH Tunneling#

For databases not directly accessible:

  • Support for SSH key authentication
  • SSH key passphrases are encrypted in the credential store
  • Jump host / bastion server support

AI Feature Security#

Your Data Privacy#

When using AI features:

  • Schema context is sent to generate accurate queries, but actual data values are not
  • AI providers (OpenAI, Anthropic, Google) process queries according to their privacy policies
  • You can use your own API keys (BYOK) for full control

Bring Your Own Key (BYOK)#

For maximum privacy, use your own API keys:

  • Your API keys are encrypted and stored locally
  • Queries go directly to the AI provider
  • No query data passes through our servers

Best Practices#

For Personal Use#

  1. Use OAuth sign-in for the best experience
  2. Enable OS-level screen lock for physical security
  3. Regularly update QueryMind to get security patches

For Production Databases#

  1. Use SSH tunneling for remote databases
  2. Create read-only database users when possible
  3. Enable DDL confirmation (on by default)
  4. Consider using a bastion host for added security

For Teams#

  1. Use individual accounts instead of sharing credentials
  2. Leverage database-level access controls
  3. Review query history regularly

Reporting Security Issues#

If you discover a security vulnerability, please report it responsibly:

  1. Email: [email protected]
  2. Do not disclose the issue publicly until we've addressed it
  3. We appreciate and acknowledge security researchers

Related Topics#