Security Model
Early Draft
This specification is at an early draft stage. Ideas are open for change and debate. A lot of the content was developed with the help of Claude AI.
Security Model
Attack Vectors and Mitigations
Fake User-Agent (Vera)
Attack: Standard browser sets User-Agent: Vera/1.0.
Impact without SDK: Receives Vera template without popups. No subscription bypass without a valid token.
Mitigation: Token validation is mandatory for paid content. Without a valid token: vera_anonymous mode, no subscription access.
Token Theft and Replay (Vera Token)
Mitigations:
audclaim binds token to a specific domainjticlaim makes token single-use (Redis-based JTI register)- 1-hour TTL limits exposure window
- HTTPS-only: token never transmitted over unencrypted connection
def check_and_mark_jti(jti: str) -> bool:
key = f"vera:jti:{jti}"
was_set = redis_client.set(key, 1, ex=3600, nx=True)
return was_set is not None
Prompt Injection via Website
Attack: Malicious page attempts to manipulate Vera browser dialogs.
Mitigation: Vera dialogs run in the browser chrome (separate process). No JavaScript can access the native UI.
GDPR Compliance
| Data point | Storage location | Shared with | Legal basis |
|---|---|---|---|
| SSO user hash | Vera SSO servers (EU) | Publisher (anonymous, domain-specific) | Consent (Art. 6(1)(a)) |
| Vera wallet | Vera Wallet servers (EU) | Nobody | Contract (Art. 6(1)(b)) |
| Network verification signal | Telecom carrier | Publisher (validated, not persisted) | Legitimate interest (Art. 6(1)(f)) |
| Browser history | Local (Vera browser) | Nobody | — |