07. Security & Safety¶
| Topic | Status |
|---|---|
| Translation privacy | Text stays in-browser for inference |
| Model/CDN trust | Public HF + jsDelivr/Tailwind/Google Fonts |
| Auth / secrets | None |
| SRI / CSP | Not configured |
| Fetch monkey-patch | Temporary during tokenizer load — concurrent fetch risk |
| XSS | Limited innerHTML for controlled UI strings |
Interview angle¶
Privacy win is real for translation text; supply-chain trust shifts to CDN and HF weights.