05 - Security Architecture

Overview

OpenAlgo implements defense-in-depth security with multiple layers protecting the application from various attack vectors. The security architecture covers authentication, authorization, transport security, input validation, and monitoring.

Security Layers Diagram

Layer 1: Transport Security

HTTPS Configuration

Cookie Security Attributes

Layer 2: Network Security

IP Banning System

Location: utils/security_middleware.py

IP Ban Model:

Rate Limiting

Location: limiter.py

Rate Limit Configuration:

Usage Example:

404 Error Tracking

Tracks suspicious 404 errors for potential attack detection:

Layer 3: Browser Security

Content Security Policy (CSP)

Location: csp.py

CSP Directives:

CORS Configuration

Location: cors.py

Additional Security Headers

Layer 4: Application Security

CSRF Protection

Location: app.py

CSRF Token Flow:

Frontend Implementation:

Password Security

Argon2 Hashing with Pepper:

Password Requirements:

API Key Security

Three-Level Verification:

Session Security

Layer 5: Data Security

Auth Token Encryption

Fernet Encryption for Broker Tokens:

Database Isolation

Five separate databases prevent cross-contamination:

Sensitive Data Protection

Log Redaction:

Security Configuration Summary

Environment Variables

Security Checklist

Startup Validation

Security Best Practices

1. Always use HTTPS in production

2. Never log sensitive data (passwords, tokens)

3. Use rate limiting on all authentication endpoints

4. Implement IP banning for abusive IPs

5. Keep API_KEY_PEPPER secure and backed up

6. Monitor 404 errors for attack detection

7. Use secure cookie attributes

8. Implement proper CSRF protection

Key Files Reference