Important security information for Antigravity Proxy.

This proxy is designed for LOCAL DEVELOPMENT ONLY.

DO NOT:

• ❌ Use in production environments
• ❌ Expose the proxy to the internet
• ❌ Run on shared/public networks
• ❌ Use on company networks without permission

The proxy requires NODE_TLS_REJECT_UNAUTHORIZED=0 which disables SSL certificate verification.

Why this matters:

• Your connection is vulnerable to man-in-the-middle attacks
• Only safe on trusted local networks (your computer)
• Never use this setting in production code

Your Gemini API key is stored in .env and used by the proxy.

Protect your API key:

• Never commit .env to git (already in .gitignore)
• Don't share your .env file
• Don't post logs containing your API key online
• Rotate keys regularly
• Use separate keys for testing/production

The proxy:

1. Intercepts HTTP/HTTPS traffic
2. Reads request headers and URLs
3. Modifies authentication credentials
4. Forwards to Google's servers
5. Returns responses unchanged

The proxy can see:

• ✅ Request URLs
• ✅ Request/response headers
• ✅ API keys (original and replacement)
• ✅ Request/response bodies
• ✅ All data sent to Gemini API

The proxy does NOT:

• ❌ Store request/response data (except logs)
• ❌ Send data anywhere except Google's API
• ❌ Modify response content
• ❌ Share your API key externally
• ❌ Track usage beyond local logs

Logs contain:

• Request URLs (may contain query parameters)
• Partial API keys (first 15 characters)
• Response status codes
• Timestamps
• Error messages

logs/
├── combined.log    # All logs
└── error.log       # Errors only

Log Security:

• Logs are stored locally only
• Not sent anywhere
• .gitignore prevents committing logs
• Review logs before sharing

Sensitive Data in Logs:

# Logs show partial keys (safe):
Old Key: AIzaSyABC123***
New Key: AIzaSyDEF456***

# NOT full keys (never logged):
AIzaSyABC123456789abcdefghijk  ❌

The proxy binds to localhost by default:

server.listen(config.proxyPort, () => {
  // Listening on 127.0.0.1 (localhost only)
});

macOS firewall may prompt to allow Node.js connections. This is safe for local development.

Default port 8080 is:

• Not exposed externally
• Only accessible from your computer
• Not forwarded through router

.env contains:

GEMINI_API_KEY=your_secret_key_here  # SENSITIVE!
PROXY_PORT=8080                      # Not sensitive
LOG_LEVEL=info                       # Not sensitive

• .env is in .gitignore (never committed)
• Only readable by you (file permissions)
• Not exposed to child processes (except proxy itself)

Check permissions:

ls -la .env
# Should show: -rw-r--r--  (readable by you)

Make private if needed:

chmod 600 .env

All dependencies are from npm:

• http-proxy - Trusted, widely-used proxy library
• dotenv - Standard environment variable loader
• winston - Standard logging library
• chalk - Terminal colors (no network access)

Check for vulnerabilities:

npm audit

Fix vulnerabilities:

npm audit fix

Use different API keys for:

• ✅ Development (this proxy)
• ✅ Testing
• ✅ Production

This limits damage if a key is compromised.

Rotate keys regularly:

1. Generate new key in Google AI Studio
2. Update .env
3. Delete old key in Google AI Studio
4. Restart proxy

Monitor API usage in Google AI Studio:

• Check for unexpected usage
• Review rate limit consumption
• Monitor costs (if on paid tier)

If you accidentally expose your key:

1. Go to Google AI Studio
2. Delete the compromised key immediately
3. Generate a new key
4. Update .env

Ensure you comply with:

• Google Gemini API Terms of Service
• Google API Services User Data Policy
• Your organization's security policies

Consider what data you're sending to Gemini API:

• Code may contain sensitive information
• Prompts may contain private data
• Don't send passwords, secrets, or PII unnecessarily

If using for work:

• ✅ Check if allowed to use external AI services
• ✅ Verify API usage complies with data policies
• ✅ Get approval for proxy usage
• ✅ Use company-provided API keys if required

✅ Accidental key exposure - Your key stays in .env, not hardcoded in Antigravity

❌ Malicious actors on your machine - If your computer is compromised, they can read .env ❌ Network attacks - SSL verification is disabled ❌ Google's data usage - Google still sees all your requests

Before using the proxy:

• Only using on your local machine
• Not on a public/shared network
• Have separate API key for development
• .env is not committed to git
• Understand SSL verification is disabled
• Reviewed logs for sensitive data before sharing
• Comply with Google's Terms of Service
• Have permission if using for work

Keep dependencies updated:

# Check for outdated packages
npm outdated

# Update all packages
npm update

# Update package.json
npm install package@latest

If you discover a security issue:

1. Do not open a public issue
2. Do not post details online
3. Email the maintainer privately
4. Include details and potential impact

• OWASP API Security Top 10
• Node.js Security Best Practices
• npm Security
• Google Cloud Security

Use at your own risk. This tool is provided as-is for educational purposes. The authors are not responsible for:

• API key compromises
• Data breaches
• Terms of Service violations
• Security incidents
• Costs incurred from API usage

Always follow security best practices and comply with all applicable terms and policies.