Skip to content

Security

The AbLead application uses a secure, industry-standard authentication stack and is designed with security as a core principle.

Technology Stack

  • Backend: Python/Flask with Flask-SQLAlchemy for database interactions.
  • Password Hashing: Uses Werkzeug's PBKDF2 with SHA-256 hashing. Passwords are never stored in plain text; only their cryptographic hashes are stored in the database.
  • Password Strength: Integrates the zxcvbn library to enforce high-entropy passphrases. Initial account setup requires a minimum of 12 characters and a complexity score of at least 3 out of 4.
  • Session Management: Uses Flask's signed sessions (cryptographically signed cookies). This prevents users from tampering with their session data.

Security Assessment

AbLead implements several layers of defense to protect user data:

Strong Hashing

PBKDF2 is a specialized "slow" hashing algorithm designed to resist brute-force and dictionary attacks by making each attempt computationally expensive.

Signed Sessions

The application uses a unique, secure SECRET_KEY to sign session cookies. This ensures that session data cannot be forged or modified by a client.

CSRF Mitigation

The application utilizes SameSite="Lax" cookie attributes for sessions. This is a modern browser-level defense that significantly reduces the risk of Cross-Site Request Forgery (CSRF) by preventing sessions from being sent with cross-site requests.

SQL Injection Protection

All database communication is performed via the SQLAlchemy ORM. This approach uses parameterized queries for all operations, which effectively eliminates the risk of SQL injection by ensuring that user input is never executed as code.

Robust Access Control

Private application routes are protected by a @login_required decorator. This system verifies the user's identity, active status, and session validity on every single request.

Inactivity Timeout

To protect sessions on shared or public terminals, the system includes a dynamic inactivity timeout (typically 30 minutes). If no activity is detected within this window, the session is invalidated, and the user is automatically logged out.

Overall, the login system and data handling in AbLead adhere to modern web security best practices for professional biotherapeutic software.