Are Chrome extensions safe to use?

Chrome extensions can be safe when developed responsibly and reviewed by Google. However, extensions request permissions that can access sensitive data. Alexandria prioritizes security by automatically blocking 200+ sensitive site patterns (banking, passwords, healthcare), using Manifest V3 architecture, and never storing your content long-term. Always review an extension's permissions before installing.

Can Chrome extensions steal my data?

Extensions can access data based on their requested permissions. Alexandria minimizes this risk by: (1) blocking itself on password managers, banking sites, and login pages automatically, (2) processing content transiently without storage, (3) using TLS encryption for all communication, and (4) requesting only essential permissions (content access, storage, cookies).

Can Chrome extensions access my passwords?

Extensions with broad permissions can potentially access password fields. Alexandria automatically blocks all major password managers (1Password, LastPass, Bitwarden, Dashlane, NordPass, Keeper, RoboForm, Zoho Vault, Proton Pass, Enpass) and all login pages (accounts.*, login.*, signin.*, auth.*) preventing any access to password fields or vaults.

What permissions should I give Chrome extensions?

Only grant permissions necessary for the extension's core functionality. For text-to-speech extensions like Alexandria, essential permissions include: page content access (to read text), storage (to save preferences), and cookies (for authentication). Avoid extensions requesting clipboard, browsing history, downloads, or unnecessary host permissions.

How do I know if a Chrome extension is secure?

Check for: automatic blocking of sensitive sites, Manifest V3 architecture, transparent privacy policy, minimal permissions, HTTPS/TLS encryption, enterprise authentication (OAuth/SAML), and a security contact email. Alexandria implements all of these security measures and publishes comprehensive documentation of our protections.

Is Alexandria safe to use?

Yes, Alexandria is safe to use. The extension uses Manifest V3 architecture, automatically blocks 200+ sensitive sites (banking, passwords, healthcare), processes content transiently without long-term storage, encrypts all communication with TLS, and uses enterprise Clerk authentication. We publish comprehensive security documentation and provide security@alexandria.live for vulnerability reports.

What data does Alexandria collect?

Alexandria collects minimal data: (1) Authentication data (email via Clerk), (2) Anonymous usage analytics via PostHog (which features you use, not content), (3) TTS conversion metadata (text length, voice selection, not the actual text content). Your reading content is processed transiently for audio generation and immediately discarded.

Does Alexandria store my content?

No. Alexandria processes your content transiently for text-to-speech conversion and does not store it long-term. Text is sent to our API, converted to audio with word timestamps, and immediately discarded. We don't build a database of articles you've read or retain the content.

Can Alexandria access my banking information?

No. Alexandria automatically blocks all banking sites using pattern matching (/bank/ domains) and explicitly blocks major financial services (PayPal, Stripe, Venmo) and investment accounts (Fidelity, Schwab, E*TRADE, TD Ameritrade, Vanguard, Robinhood). The extension won't initialize on these sites, preventing any access to financial data.

Does Alexandria work on password managers?

No. Alexandria intentionally blocks all major password managers for your security: 1Password, LastPass, Bitwarden, Dashlane, NordPass, Keeper, RoboForm, Zoho Vault, Proton Pass, and Enpass. Additionally, any vault.* subdomain or /vault URL path is blocked. This prevents any access to your stored credentials.

Is Alexandria GDPR compliant?

Yes. Alexandria complies with UK GDPR and Data Protection Act 2018. We use PostHog analytics in the EU region, process data under lawful bases (contract, legitimate interests, consent), provide data subject rights (access, erasure, portability), and maintain transparent privacy documentation. See our Privacy Policy for complete GDPR compliance details.

Can Alexandria read my emails without permission?

No. Alexandria never activates automatically on email services. Gmail and Outlook require manual activation-you must click the play button on a specific email to start listening. The extension doesn't run in the background scanning your inbox. Each email requires explicit user interaction to process.

What sites does Alexandria block?

Alexandria blocks 200+ site patterns across 10 categories: (1) Password managers, (2) Banking and financial sites, (3) Account/login pages (accounts.*, login.*, signin.*), (4) Payment processors and authentication, (5) Healthcare portals (HIPAA-protected), (6) Tax preparation sites, (7) HR/payroll systems, (8) Legal research platforms, (9) Cryptocurrency exchanges, (10) Government sites (.gov, .mil). See our complete blocklist on the security page.

How does Alexandria block sensitive sites?

Alexandria checks every URL against 200+ blocking patterns before initialization (under 10ms). Patterns include exact URLs (https://accounts.google.com), subdomain regex (/^https?:\/\/accounts\./), path regex (/\/login/), and domain patterns (/\.bank/). If matched, the extension stops initialization, sends a "Protected" message to the popup, and performs no content extraction.

Is Alexandria safe for work/enterprise use?

Yes. Alexandria is designed for professionals handling sensitive information. It blocks HR/payroll portals (ADP, Workday, Paychex), legal research platforms (LexisNexis, Westlaw), healthcare systems, and financial services. Enterprise features include: Clerk authentication, Row-Level Security for data isolation, audit logging capability, and compliance with GDPR/data protection regulations.

What is Manifest V3 and why does it matter?

Manifest V3 is Chrome's latest extension security standard (2024+). It provides stronger security than the older Manifest V2 through: stricter permission requirements, service workers instead of persistent background pages (better isolation), enhanced Content Security Policy enforcement, and restricted remote code execution. Alexandria uses Manifest V3 for improved security.

What is Row-Level Security (RLS)?

Row-Level Security is database-level protection that prevents unauthorized data access. In Alexandria, RLS policies ensure your sources, notebooks, and highlights are isolated-other users cannot access your data even if there's a vulnerability in the application code. This provides defense-in-depth security beyond application-layer controls.

How is my data encrypted?

Alexandria uses TLS encryption for all communication between the extension and our servers. Your text is encrypted in transit using HTTPS. Our database provider (Supabase) also encrypts data at rest using AES-256.

What permissions does Alexandria request?

Alexandria requests minimal permissions: (1) Content access - to read text on pages for TTS, (2) Storage - to save your preferences and settings, (3) Cookies - for Clerk authentication, (4) Tabs - to detect navigation and manage extension state. Alexandria does NOT request: clipboard access, browsing history, downloads, bookmarks, or desktop capture.

Does Alexandria track my browsing history?

No. Alexandria does not track your browsing history. We only collect anonymous analytics about Alexandria usage (which features you use, playback events) via PostHog. We don't know which websites you visit or build a profile of your browsing behavior. The extension only processes content when you explicitly click play.

Can Alexandria see my private/incognito browsing?

Only if you explicitly enable "Allow in Incognito" in Chrome's extension settings (chrome://extensions). By default, Chrome extensions don't run in incognito mode unless you grant permission. Alexandria respects this privacy boundary and won't run in incognito unless you enable it.

Is my reading content sent to third parties?

Your text content is sent to DeepInfra (our TTS provider) for audio synthesis. DeepInfra processes the text to generate audio and word timestamps, then immediately discards it. We use DeepInfra under a data processing agreement. Your content is not used for AI training or shared with other third parties. See our Privacy Policy for the complete list of processors.

Does Alexandria work offline?

No. Alexandria requires an internet connection to convert text to speech via our API. However, this ensures your content is processed with high-quality neural voices and word-level timestamps. We don't store large AI models locally on your device, which would consume significant disk space and raise security concerns about local data storage.

Is Alexandria safer than Speechify?

Alexandria implements more comprehensive security measures than Speechify. Key differences: Alexandria blocks 200+ sensitive site patterns automatically (Speechify has limited blocking), uses zero long-term content storage (Speechify may cache), implements Manifest V3 (Speechify varies by version), and provides transparent security documentation. Compare our security page to competitors for detailed differences.

Is Alexandria safer than Read Aloud?

Alexandria provides stronger security controls: automatic blocking of 200+ sensitive sites vs Read Aloud's minimal blocking, enterprise Clerk authentication vs basic or no auth, zero content storage vs potential caching, and comprehensive privacy documentation. Alexandria is designed for users handling sensitive information.

Is Alexandria safer than browser built-in TTS?

Browser built-in TTS is generally secure since it processes content locally without network transmission. However, it lacks: smart site blocking (won't auto-block sensitive pages), high-quality neural voices, word-level highlighting synchronization, and speed control. Alexandria adds these features while maintaining security through site blocking, transient processing, and encryption.

How does Alexandria compare to Natural Reader?

Alexandria implements stronger privacy protections: automatic site blocking (Natural Reader has minimal blocking), zero long-term content storage (Natural Reader may retain content), privacy-first analytics in EU region (Natural Reader's analytics vary), and transparent security documentation. Alexandria is built for privacy-conscious users.

Can Alexandria access my tax documents?

No. Alexandria automatically blocks all major tax preparation sites including TurboTax, H&R Block, TaxAct, FreeTaxUSA, TaxSlayer, and IRS.gov. The extension won't initialize on these sites, preventing any access to your tax documents, SSN, or financial information.

Does Alexandria work on healthcare portals?

No. Alexandria blocks healthcare and medical portals that contain HIPAA-protected information. This includes patient portals, MyChart (Epic Systems), FollowMyHealth, HealthVault, and insurance portals (UnitedHealthcare, Anthem, Blue Cross Blue Shield, Aetna, Cigna, Humana). Medical privacy is protected by default.

Can Alexandria access my cryptocurrency accounts?

No. Alexandria blocks all major cryptocurrency exchanges including Coinbase, Binance, Kraken, Gemini, and Crypto.com. The extension won't activate on crypto trading platforms, preventing access to your assets, private keys, or trading information.

Does Alexandria work on HR/payroll systems?

No. Alexandria blocks HR and payroll portals that contain sensitive employee information. This includes ADP, Workday, Paychex, Paylocity, Paycom, UltiPro/UKG, and BambooHR. Your salary, benefits, SSN, and tax forms are protected from extension access.

Can I use Alexandria on legal research platforms?

No. Alexandria blocks legal research and court filing systems to protect confidential legal documents. This includes LexisNexis, Westlaw, Bloomberg Law, PACER (federal court records), and US Courts domains. Legal document confidentiality is maintained.

How do I report a site that should be blocked?

If you encounter a sensitive site where Alexandria activates (false negative) or a safe site that's incorrectly blocked (false positive), report it via support@alexandria.live. We review all reports and update the blocklist regularly. Your feedback improves security for all users.

Can I manually block additional sites?

Currently, Alexandria uses a centrally-managed blocklist updated by our team. User-customizable blocking is planned for a future update. For now, you can report sites that should be added to the global blocklist via our feedback page.

How often is the blocklist updated?

Alexandria's blocklist is reviewed and updated regularly based on user reports, security research, and new service launches. Critical security updates (new payment processors, major service changes) are pushed immediately. General updates occur monthly.

Is my Alexandria account secure?

Yes. Alexandria uses Clerk for authentication, an enterprise identity platform trusted by thousands of companies. Clerk provides: secure OAuth with Google/Microsoft, passwordless email magic links, optional two-factor authentication (2FA), session management, and security monitoring. Your account credentials are never stored by Alexandria-Clerk handles all authentication.

Does Alexandria support two-factor authentication?

Yes. Alexandria supports two-factor authentication (2FA) through Clerk. You can enable 2FA in your account settings for enhanced security. Options include authenticator apps (Google Authenticator, Authy) and SMS-based verification.

What happens if my Alexandria account is compromised?

If you suspect account compromise: (1) Change your password immediately via Clerk, (2) Enable two-factor authentication, (3) Review active sessions and revoke suspicious ones, (4) Contact support@alexandria.live for assistance. Since Alexandria doesn't store your reading content, compromised accounts cannot access your historical reading data.

What is Content Security Policy (CSP)?

Content Security Policy is a browser security mechanism that restricts which scripts can execute in a web application or extension. Alexandria enforces a strict CSP that allows only scripts from trusted sources ('self') and prevents inline script execution. This reduces the risk of XSS (cross-site scripting) attacks and malicious code injection.

How does Alexandria prevent XSS attacks?

Alexandria prevents XSS (cross-site scripting) through multiple layers: (1) Strict Content Security Policy restricting script sources, (2) HTML sanitization for user-generated content using DOMPurify, (3) Input validation on all API endpoints, (4) No use of dangerous functions like eval() or innerHTML with untrusted data. These combined protections minimize XSS risk.

What is UUID-based resource protection?

Alexandria uses UUIDs (Universally Unique Identifiers) for all resource IDs instead of sequential numbers. This means your sources, notebooks, and highlights have random IDs like "a3f2b8c9-4d1e-4f5a-9c2b-7e8f9a0b1c2d" instead of "1, 2, 3". This prevents enumeration attacks where attackers guess IDs to access other users' data.

Can I use Alexandria on Google Docs?

Currently, Google Docs is blocked while we develop a specialized adapter for it. This ensures we can handle Google Docs' complex structure securely without risking data leakage. The adapter is under development and will be enabled once thoroughly tested.

Does Alexandria block social media sites?

Alexandria requires manual activation on social media (Twitter/X, Facebook, Instagram, LinkedIn) but doesn't completely block them. You can click the extension icon to activate Alexandria when needed. This "manual-only" approach protects your privacy while allowing flexibility for reading long social media content.

Can I use Alexandria on local files (PDFs)?

PDF support is available through the Alexandria web app (app.alexandria.live), where you can upload and listen to PDFs with word-by-word highlighting. The Chrome extension does not support PDFs. You can enable "Allow access to file URLs" in Chrome's extension settings (chrome://extensions) to access local HTML files, but this is not required for PDF reading — use the web app instead.

Is Alexandria SOC 2 compliant?

Alexandria is working toward SOC 2 compliance. Current security controls include: enterprise authentication (Clerk), database-level security (Supabase RLS), encryption in transit (TLS), audit logging capability, and access controls. SOC 2 certification is planned for 2026 as we grow our enterprise customer base.

Can Alexandria be used in healthcare organizations (HIPAA)?

Alexandria blocks all healthcare portals and patient management systems to protect HIPAA data. However, Alexandria itself is not currently HIPAA-compliant for processing protected health information (PHI). Healthcare organizations should not use Alexandria to process patient records or PHI. It can be used for general medical articles and non-PHI content.

Does Alexandria have a security audit?

Alexandria conducts regular internal security audits. We have identified and documented 200+ sensitive site patterns for blocking, implemented Manifest V3 security standards, and maintain comprehensive security documentation. Third-party penetration testing is planned for Q2 2026 before wider public launch.

How do I report a security vulnerability?

Report security vulnerabilities responsibly to security@alexandria.live. Include: description of the vulnerability, steps to reproduce, potential impact, and your contact information. We aim to respond within 24 hours for critical issues. We do not currently have a bug bounty program but plan to launch one in 2026.

Does blocking 200+ sites slow down Alexandria?

No. Site blocking adds less than 10ms overhead per page load. Alexandria uses efficient pattern matching with caching-the performance impact is negligible. The security benefit (preventing sensitive data access) far outweighs the minimal performance cost.

What happens if Alexandria blocks a site incorrectly?

If Alexandria blocks a site you believe is safe (false positive), the extension popup shows "Protected" status. Contact support@alexandria.live to report the site. We'll review it and updates typically roll out within 1-2 weeks.

Does Alexandria plan to add more security features?

Yes. Our security roadmap includes: user-customizable site blocking (allow/block specific domains), enhanced audit logging for enterprise users, SOC 2 compliance certification, third-party penetration testing, bug bounty program, and automatic security updates for new threat patterns. See alexandria.live for updates.

Security & Privacy Protection

Alexandria is built with security and privacy at its core. The extension automatically blocks itself on 200+ sensitive sites including banking, password managers, healthcare portals, and login pages before any data is accessed. All communication uses TLS encryption, content is processed transiently (never stored), and enterprise authentication protects your account with optional 2FA.

What We're Doing to Protect You

✅

Manifest V3 Extension

Built on Chrome's latest security architecture

✅

Enterprise Authentication

✅

Zero Storage Policy

Your content is processed, not stored

✅

TLS Encryption

All data encrypted in transit

✅

Database-Level Isolation

Row-Level Security protects your data

✅

200+ Sites Blocked

Proactive protection for sensitive pages

✅

Content Security Policy

Browser-enforced script restrictions

✅

Privacy-First Analytics

GDPR-compliant PostHog (EU region)

✅

Secure Message Passing

Chrome's secure messaging API throughout

✅

24/7 Security Contact

Dedicated security@alexandria.live

How Alexandria Protects Your Sensitive Data

Unlike most text-to-speech extensions that run everywhere by default, Alexandria takes a security-first approach. The extension proactively blocks itself on sensitive websites to prevent any possibility of accessing your private information.

This protection happens automatically, before any content is extracted or processed. When you visit a blocked site, Alexandria won't initialize-no widget appears, no text is extracted, and no API calls are made.

Key Facts

86% of the top 100 Chrome extensions request high-risk permissions on installation [LayerX Enterprise Browser Extension Security Report, 2025].

Over 5.8 million users were directly affected by documented malicious Chrome extensions in 2024-2025 [TechRadar, 2025].

A December 2024 supply chain attack compromised 35+ Chrome extensions, affecting 2.6 million users [Dark Reading, 2024].

95% of global web traffic is encrypted using HTTPS as of 2025, up from under 50% a decade ago [comparecheapssl.com, 2025].

The average cost of a data breach reached $4.44 million globally in 2025 [IBM Cost of Data Breach Report, 2025].

Security Features You Get Automatically

200+ Sensitive Sites Blocked

Alexandria maintains a comprehensive blocklist of 200+ site patterns covering password managers (1Password, LastPass, Bitwarden, etc.), banking sites, healthcare portals, tax preparation services, HR/payroll systems, legal research platforms, cryptocurrency exchanges, and all login/account pages. This list is updated regularly.

Zero Long-Term Data Storage

Your content is processed transiently for text-to-speech conversion and immediately discarded. We don't build a database of what you've read or listened to. The only data we retain is anonymous usage analytics (which pages you used the extension on, not the content itself).

TLS Encryption Everywhere

All communication between the extension and our servers uses TLS encryption (HTTPS). Your text is encrypted in transit, protecting against man-in-the-middle attacks and eavesdropping. Encryption can reduce breach-related costs by up to $2.5 million when paired with modern security practices [IBM, 2025].

Enterprise-Grade Authentication

Alexandria uses Clerk for authentication-the same enterprise platform trusted by thousands of companies. Clerk supports Google Sign-In, Microsoft accounts, passwordless email magic links, and optional two-factor authentication (2FA) for enhanced security.

Manifest V3 Architecture

Alexandria is built on Chrome's latest Manifest V3 standard, which provides stronger security controls than older extensions. Manifest V3 includes stricter permission requirements, enhanced privacy protections, and isolated execution contexts that prevent malicious code injection. As of August 2025, 73.4% of Chrome extensions had migrated to Manifest V3 [arXiv, 2025].

Row-Level Security (Database)

Your data in our database is protected with Row-Level Security (RLS) policies. This means even if there's a vulnerability in the application code, the database itself prevents unauthorized access to your data. Your sources, notebooks, and highlights are isolated at the database level.

Content Security Policy

The extension enforces a strict Content Security Policy (CSP) that restricts which scripts can execute. This prevents unauthorized code from running and reduces the risk of XSS (cross-site scripting) attacks.

Privacy-First Analytics

Alexandria uses PostHog for analytics, hosted in the EU region for GDPR compliance. We collect pseudonymous usage data (which features you use, not what content you read). Session recording is permanently disabled. We never track your browsing history outside of Alexandria usage. GDPR enforcement resulted in €1.2 billion in fines during 2024 alone, with cumulative penalties reaching €5.88 billion since the regulation took effect [GDPR Register, 2025].

Minimal Permissions

Alexandria only requests the permissions necessary to function: page content access (to read text aloud), storage (to save your preferences), and cookies (for authentication). We don't request clipboard access, browsing history, or other invasive permissions.

Secure Message Passing

Communication between extension components uses Chrome's secure messaging API, which provides isolated contexts and prevents direct DOM manipulation from untrusted code. This architecture reduces the risk of code injection attacks.

What Makes Alexandria Different from Other Extensions

Most text-to-speech extensions activate everywhere by default and rely on users to manually disable them on sensitive sites. This puts the burden on you to remember which sites are risky.

Alexandria reverses this model: we block sensitive sites by default. You get protection automatically, without having to think about it.

Proactive Protection

Alexandria checks every URL against 200+ blocking patterns before initialization. If you navigate to accounts.google.com or vault.bitwarden.com, the extension won't activate-no widget, no content extraction, no data transmission. This happens in under 10ms with zero performance impact.

Pattern-Based Detection

Instead of maintaining a static list of URLs, Alexandria uses intelligent pattern matching. For example, the pattern /^https?:\/\/accounts\./ blocks all accounts.* subdomains across any service (accounts.google.com, accounts.microsoft.com, accounts.github.com, etc.). This provides comprehensive coverage even for new services we haven't specifically listed.

User-Reported Improvements

If Alexandria blocks a site incorrectly (false positive) or misses a sensitive site that should be blocked, you can report it via our feedback page. We review reports regularly and update the blocklist accordingly. Your feedback makes the extension safer for everyone.

Automatic Site Blocking

Alexandria will never activate on the following types of sensitive pages. This protection happens automatically before any content is extracted or processed.

Account & Authentication Pages

Login and sign-in pages (accounts.*, login.*, signin.*, auth.*, sso.*)
Google, Microsoft, Yahoo, Facebook, Apple ID login pages
Single Sign-On (SSO) portals
Two-factor authentication pages
Password reset and account recovery pages

Password Managers

1Password, LastPass, Bitwarden, Dashlane
NordPass, Keeper, RoboForm, Zoho Vault
Proton Pass, Enpass
Any vault.* subdomain or /vault path

Financial Services

Banking: All sites matching banking patterns and domains
Payment Processors: PayPal, Stripe, Venmo
Investment Accounts: Fidelity, Schwab, E*TRADE, TD Ameritrade, Vanguard, Robinhood
Cryptocurrency: Coinbase, Binance, Kraken, Gemini, Crypto.com
Payment Authentication: 3D Secure verification, Cardinal Commerce, Visa/Mastercard secure checkout

Healthcare & Medical

Patient portals (HIPAA-protected health information)
MyChart, FollowMyHealth, HealthVault
Insurance portals: UnitedHealthcare, Anthem, Blue Cross Blue Shield, Aetna, Cigna, Humana

Tax & Financial Documents

Tax preparation sites: TurboTax, H&R Block, TaxAct, FreeTaxUSA, TaxSlayer
IRS.gov and all government tax portals
Tax filing and financial document sites

HR & Payroll Systems

ADP, Workday, Paychex, Paylocity
Paycom, UltiPro/UKG, BambooHR
Employee portals containing salary, benefits, and tax information

Legal & Court Systems

Legal research platforms: LexisNexis, Westlaw, Bloomberg Law
Court filing systems: PACER, US Courts domains
Confidential legal documents and case management systems

Government & Secure Sites

All .gov and .mil domains
Government portals and services
Browser internal pages (chrome://, edge://, about:)
Extension stores and management pages

Analytics & Tag Management

Google Tag Manager
Google Analytics
Google Marketing Platform

How Protection Works

When you visit a protected site:

Instant Detection: Alexandria checks the URL before any initialization (less than 10ms overhead)
Complete Blocking: No content extraction, no text processing, no API calls
Clear Communication: Extension popup shows "Protected" status with explanation
User Feedback: Easy reporting if you believe a site is incorrectly blocked via support@alexandria.live

How Alexandria Protects Your Sensitive Data

Key Facts

86% of the top 100 Chrome extensions request high-risk permissions on installation [LayerX Enterprise Browser Extension Security Report, 2025].

Over 5.8 million users were directly affected by documented malicious Chrome extensions in 2024-2025 [TechRadar, 2025].

A December 2024 supply chain attack compromised 35+ Chrome extensions, affecting 2.6 million users [Dark Reading, 2024].

95% of global web traffic is encrypted using HTTPS as of 2025, up from under 50% a decade ago [comparecheapssl.com, 2025].

The average cost of a data breach reached $4.44 million globally in 2025 [IBM Cost of Data Breach Report, 2025].

Security Features You Get Automatically

200+ Sensitive Sites Blocked

Zero Long-Term Data Storage

TLS Encryption Everywhere

Enterprise-Grade Authentication

Manifest V3 Architecture

Row-Level Security (Database)

Content Security Policy

Privacy-First Analytics

Minimal Permissions

Secure Message Passing

What Makes Alexandria Different from Other Extensions

Most text-to-speech extensions activate everywhere by default and rely on users to manually disable them on sensitive sites. This puts the burden on you to remember which sites are risky.

Alexandria reverses this model: we block sensitive sites by default. You get protection automatically, without having to think about it.

Proactive Protection

Pattern-Based Detection

User-Reported Improvements

How to Evaluate Text-to-Speech Extension Security

Use this checklist to assess whether any TTS extension is safe to use. Alexandria implements all 7 security measures.

Check Site Blocking Policy

A secure TTS extension should block sensitive sites automatically. Check if it blocks password managers, banking sites, healthcare portals, and login pages by default. Alexandria blocks 200+ site patterns including all major password managers, financial services, and authentication pages.

Verify Data Storage Policy

Read the privacy policy to understand what data is stored. Secure extensions process content transiently without long-term retention. Alexandria never stores your content-text is converted to speech in real-time and immediately discarded.

Review Requested Permissions

Check the extension's permissions in Chrome. Red flags include: clipboard access (unless needed for core functionality), browsing history access, downloads permission, or overly broad host permissions. Alexandria requests only content access, storage (preferences), and cookies (authentication).

Check for Manifest V3

Verify the extension uses Manifest V3, Chrome's latest security standard. Manifest V2 extensions are deprecated and have weaker security controls. Alexandria is built on Manifest V3 with stricter permission requirements and enhanced privacy protections.

Verify Encryption

Check if the extension uses HTTPS/TLS for all server communication. Any unencrypted (HTTP) communication is a major security risk. Alexandria uses TLS encryption for all API calls-your data is encrypted in transit.

Review Authentication Method

Secure extensions use enterprise authentication providers (OAuth, SAML, trusted identity platforms) rather than custom-built auth. Alexandria uses Clerk, an enterprise authentication platform with support for 2FA, passwordless login, and security monitoring.

Look for Security Contact

Trustworthy extensions provide a security contact email for responsible disclosure of vulnerabilities. Alexandria maintains security@alexandria.live for security reports and publishes a comprehensive security page documenting our protections.

Security Features Comparison

Feature	Alexandria	Typical Extension	Why It Matters
Automatic Site Blocking	200+ patterns	0-20 patterns	Proactive protection without user configuration
Password Manager Blocking	All 10 major password managers	Usually none	Prevents credential theft and vault access
Banking Site Protection	Pattern-based (all banking domains)	Manual blocking only	Automatic financial data protection
Healthcare Portal Blocking	HIPAA-protected sites blocked	No blocking	Medical privacy compliance
Login Page Protection	All accounts., login., signin.* blocked	Rarely blocked	Prevents access to authentication pages
Data Storage	Zero retention (transient processing)	Often stored for caching	Privacy guarantee - can't leak what we don't store
Authentication	Clerk enterprise (with 2FA support)	Basic or none	Account security and session management
Extension Architecture	Manifest V3 (latest standard)	Often V2 (deprecated)	Modern security controls and privacy protections
Content Security Policy	Strict CSP (script-src 'self')	Often permissive	Prevents XSS and code injection attacks
Encryption	TLS everywhere (HTTPS only)	Varies	Data protection in transit
Database Security	Row-Level Security (RLS)	Application-level only	Defense-in-depth data isolation
Analytics Privacy	PostHog EU (GDPR-compliant)	Google Analytics (US)	European data protection standards
Security Documentation	Comprehensive public security page	Basic or none	Transparency builds trust
Security Contact	security@alexandria.live	Often missing	Responsible vulnerability disclosure

* Comparison based on publicly available information. Features and pricing may vary.

Technical Security Measures

Encryption in Transit: All API communications use HTTPS/TLS
No Data Storage: Text content is processed transiently and not stored long-term
Minimal Permissions: Extension only requests necessary browser permissions
Regular Updates: Security patterns are continuously updated to protect against new threats
Pattern Matching: Both exact URL matching and regex patterns for comprehensive coverage
Row-Level Security: Database-level data isolation prevents unauthorized access
Content Security Policy: Strict CSP prevents unauthorized script execution
UUID Resource IDs: Cryptographically random identifiers prevent enumeration attacks

Manual Activation Sites

Some sites require manual activation for privacy (not blocked, but won't auto-start):

Social media platforms (Twitter/X, Facebook, Instagram, LinkedIn)
Development tools (GitHub, GitLab, Stack Overflow)
Collaboration tools (Slack, Discord, Notion, Figma)
Web applications (app.*, dashboard.*, console.* subdomains)

On these sites, click the Alexandria extension icon to manually activate when needed.

Frequently Asked Questions

Reporting & Transparency

We believe in transparency and continuous improvement:

Report Incorrect Blocking: If a site is incorrectly blocked, report it via support@alexandria.live
Request New Protections: Know a sensitive site we should block? Let us know
Open Communication: We'll explain our blocking decisions and update this page as protections evolve
Security Roadmap: Follow our planned security improvements at our story page

Security Contact

Found a security issue? Please report it responsibly:

security@alexandria.live

We aim to respond within 24 hours for critical vulnerabilities.

Our Security Philosophy

We built Alexandria with security baked in from the start. A few principles guide our approach:

Security should be automatic. Users shouldn't have to remember which sites are risky.
If we block sensitive sites by default, you're protected even if you forget.
We publish everything about how we handle security. Transparency matters.
The strongest data protection is not storing your content in the first place.
Privacy isn't a feature you turn on. It's how the extension works.
We protect your data at multiple layers: the browser extension, our application code, and the database itself.

Related Policies

Privacy Policy - Complete privacy details and data practices
GDPR Rights - Your European data protection rights
Cookie Information - What cookies we use and why
Terms of Service - Terms of use

Contact

Questions about our security practices?
General inquiries: support@alexandria.live
Security reports: security@alexandria.live
Feedback & feature requests: support@alexandria.live