search
HomeGithubDiscordBlog

Practices

hashtag
OpenAlgo Security Practices Report

Version: 1.0 Date: December 2025 Overall Security Rating: 7.5 / 10

hashtag
Executive Summary

OpenAlgo implements enterprise-grade security with a defense-in-depth approach across all layers of the application. This document details all strong security practices currently implemented in the codebase.

hashtag
Key Security Highlights

Category
Implementation

Password Hashing

Argon2 with pepper

Token Encryption

Fernet (AES-128-CBC)

Session Protection

HTTPOnly, SameSite, Secure cookies

API Security

Dual-storage (hashed + encrypted)

Input Validation

Marshmallow schema validation

SQL Prevention

SQLAlchemy ORM (parameterized queries)

XSS Prevention

Content Security Policy headers

Rate Limiting

Flask-Limiter with configurable limits

Threat Detection

IP banning, 404 tracking, invalid key tracking

hashtag
1. Password & Credential Security

hashtag
Argon2 Password Hashing

OpenAlgo uses Argon2, the winner of the Password Hashing Competition, for all password storage.

Practice
Implementation
Location

Argon2 Hashing

Memory-hard hashing algorithm

database/user_db.py:74-77

Mandatory Pepper

32+ character pepper required at startup

database/auth_db.py:27-41

Auto-Rehashing

Passwords rehashed on verification if needed

database/user_db.py:84-87

hashtag
Password Strength Requirements

All passwords must meet the following criteria:

Location: utils/auth_utils.py:13-48

hashtag
Credential Masking

Sensitive credentials are masked in UI displays showing only the first 4 characters.

Location: utils/auth_utils.py:50-64

hashtag
2. API Key Security

hashtag
Dual-Storage Approach

API keys are stored using a dual approach for maximum security:

Storage Method
Purpose
Location

Argon2 Hash

Verification without exposing key

database/auth_db.py:334-336

Fernet Encrypted

Secure retrieval when needed

database/auth_db.py:339

hashtag
Intelligent Caching

Key Type
Cache TTL
Rationale

Valid Keys

10 hours

Reduce database load

Invalid Keys

5 minutes

Prevent cache poisoning

Location: database/auth_db.py:105-106

hashtag
Security Features

  • Cache Invalidation: Automatic invalidation on key regeneration (database/auth_db.py:354-355)

  • Invalid Key Tracking: Per-IP tracking of failed attempts (database/traffic_db.py:349-456)

  • SHA256 Cache Keys: API keys never stored as cache keys in plaintext (database/auth_db.py:397)

hashtag
3. Encryption

hashtag
Fernet Token Encryption

All sensitive tokens are encrypted using Fernet (symmetric authenticated encryption).

Component
Implementation
Location

Algorithm

Fernet (AES-128-CBC + HMAC)

database/auth_db.py:43-56

Key Derivation

PBKDF2-HMAC-SHA256

database/auth_db.py:46-50

Iterations

100,000

database/auth_db.py:50

hashtag
Encrypted Data

  • Broker authentication tokens

  • API keys (encrypted copy for retrieval)

  • SMTP passwords (if email reset enabled)

hashtag
4. Session Security

hashtag
Cookie Configuration

Setting
Value
Location

HTTPOnly

True

app.py:142

SameSite

Lax

app.py:143

Secure

HTTPS-conditional

app.py:144

Name Prefix

__Secure- (HTTPS)

app.py:150-151

hashtag
Session Expiry

  • Daily Expiry: Configurable auto-expiry time (default 3:00 AM IST)

  • Validation Decorator: check_session_validity() validates each request

  • Token Revocation: Automatic on session expiry

Location: utils/session.py:68-118

hashtag
5. CSRF Protection

hashtag
Flask-WTF Integration

Setting
Value
Location

CSRF Enabled

True

app.py:154-155

Cookie HTTPOnly

True

app.py:160

Cookie SameSite

Lax

app.py:161

Cookie Secure

HTTPS-conditional

app.py:162

hashtag
API Exemption

REST API endpoints (/api/v1/*) are exempt from CSRF as they use API key authentication instead.

Location: app.py:184

hashtag
6. Rate Limiting

hashtag
Configured Limits

Endpoint
Limit
Location

Login

5/minute, 25/hour

blueprints/auth.py:30-31

Password Reset

15/hour

blueprints/auth.py:84

API Requests

50/second

.sample.env:82

Order Placement

10/second

.sample.env:84

Smart Orders

2/second

.sample.env:86

Webhooks

100/minute

.sample.env:88

WebSocket

100/minute

.sample.env:90

hashtag
Implementation

  • Library: Flask-Limiter with moving-window strategy

  • Storage: Memory-based (configurable)

  • Per-IP: Rate limits applied per client IP

Location: limiter.py

hashtag
7. Input Validation

hashtag
Marshmallow Schema Validation

All API endpoints use Marshmallow schemas for strict input validation.

Schema
Validations
Location

OrderSchema

Action (BUY/SELL), quantity (min 1), price (min 0), product, pricetype

restx_api/schemas.py:3-15

ModifyOrderSchema

Order fields with validation

restx_api/schemas.py:31-43

CancelOrderSchema

orderid required

restx_api/schemas.py:45-48

BasketOrderSchema

Nested order validation

restx_api/schemas.py:69-72

SplitOrderSchema

Splitsize (positive int)

restx_api/schemas.py:74-86

OptionsOrderSchema

Strike, expiry, offset validation

restx_api/schemas.py:88-104

OptionsMultiOrderSchema

Array length 1-20

restx_api/schemas.py:120-132

MarginCalculatorSchema

Array length 1-50

restx_api/schemas.py:152-159

hashtag
Validation Features

hashtag
8. SQL Injection Prevention

hashtag
SQLAlchemy ORM

All database queries use SQLAlchemy ORM with parameterized queries.

Practice
Implementation

ORM Usage

100% of queries via SQLAlchemy

Parameterized Queries

filter_by() for all lookups

No String Concatenation

Zero raw SQL string building

hashtag
Example Safe Query

Locations: database/auth_db.py, database/user_db.py, database/traffic_db.py

hashtag
9. XSS Prevention (Content Security Policy)

hashtag
CSP Directives

Directive
Value
Purpose

default-src

'self'

Restrict all to same-origin

script-src

'self' 'unsafe-inline' cdn.socket.io

Scripts from self + Socket.IO

style-src

'self' 'unsafe-inline'

Styles from self

img-src

'self' data:

Images from self + data URIs

connect-src

'self' wss: ws:

WebSocket connections

font-src

'self'

Fonts from same-origin

object-src

'none'

No plugins allowed

frame-ancestors

'self'

Clickjacking protection

form-action

'self'

Form submission restriction

base-uri

'self'

Base tag restriction

Location: csp.py:139-186

hashtag
Configuration

hashtag
10. IP Security & Banning

hashtag
IP Ban System

Feature
Implementation
Location

Temporary Bans

Configurable duration (default 24h)

database/traffic_db.py:185

Permanent Bans

After repeat offenses

database/traffic_db.py:178-182

Repeat Tracking

Ban count incremented per violation

database/traffic_db.py:173-181

Localhost Protection

Never ban 127.0.0.1, ::1

database/traffic_db.py:162-164

hashtag
Threat Detection

Feature
Description
Location

404 Tracking

Detect bot scanning

database/traffic_db.py:242-347

Invalid API Key Tracking

Track brute-force attempts

database/traffic_db.py:349-456

Auto-Escalation

Temp ban → Permanent after 3 offenses

database/traffic_db.py:179-182

hashtag
Proxy IP Detection

Supports multiple proxy headers in priority order:

  1. CF-Connecting-IP (Cloudflare)

  2. True-Client-IP (Cloudflare Enterprise)

  3. X-Real-IP

  4. X-Forwarded-For

  5. X-Client-IP

  6. request.remote_addr (fallback)

Location: utils/ip_helper.py:1-108

hashtag
11. Logging & Audit Trails

hashtag
Traffic Logging

All HTTP requests are logged (except static files).

Field
Description

IP Address

Client IP (proxy-aware)

Method

HTTP method

Path

Request path

Status Code

Response status

Duration

Request duration (ms)

User ID

Authenticated user (if available)

Error

Error message (if any)

Location: utils/traffic_logger.py:35-44

hashtag
Sensitive Data Redaction

The following patterns are automatically redacted from logs:

Location: utils/logging.py:28-80

hashtag
Log Retention

  • Rotating Files: Configurable rotation

  • Default Retention: 14 days

  • Separate Log Database: LOGS_DATABASE_URL for traffic logs

hashtag
12. Docker Security

hashtag
Dockerfile Hardening

Practice
Implementation
Location

Multi-Stage Build

Separate builder/production stages

Dockerfile:2-17

Slim Base Image

python:3.12-slim-bullseye

Dockerfile:17

Non-Root User

Runs as appuser

Dockerfile:24,46

Cache Cleanup

rm -rf /root/.cache

Dockerfile:14

hashtag
Directory Permissions

Directory
Permission
Purpose

/app/strategies

755

Strategy scripts

/app/keys

700

Private keys (owner only)

/app/log

755

Application logs

hashtag
Docker Compose Security

Practice
Implementation
Location

Named Volumes

Persistent data isolation

docker-compose.yaml:31-40

Read-Only .env

Config mounted as :ro

docker-compose.yaml:20

Restart Policy

unless-stopped

docker-compose.yaml:27

hashtag
13. CORS Configuration

hashtag
Default Configuration

Setting
Default
Location

CORS_ENABLED

FALSE

.sample.env:104

CORS_ALLOWED_ORIGINS

Specific only

.sample.env:109

CORS_ALLOW_CREDENTIALS

FALSE

.sample.env:124

CORS_MAX_AGE

86400 (24h)

.sample.env:128

hashtag
Security Features

  • Disabled by Default: Must be explicitly enabled

  • No Wildcard Origins: Specific origins required

  • API Routes Only: Applied only to /api/*

Location: cors.py, app.py:117-119

hashtag
14. Security Headers

hashtag
Additional Headers

Header
Value
Location

Referrer-Policy

strict-origin-when-cross-origin

csp.py:127

Permissions-Policy

Restrictive defaults

csp.py:132

hashtag
Permissions Policy

hashtag
15. Multi-Factor Authentication

hashtag
TOTP Support

Feature
Implementation
Location

TOTP Generation

pyotp library

database/user_db.py:99-102

QR Code Setup

Scannable QR for authenticator apps

blueprints/auth.py:321-334

Password Reset

TOTP or Email options

blueprints/auth.py:83-269

hashtag
User Enumeration Prevention

Password reset returns the same response regardless of whether the email exists.

Location: blueprints/auth.py:98-106

hashtag
16. Vulnerability Management

hashtag
GitHub Dependabot Integration

Practice
Status

CVE Monitoring

Active via Dependabot alerts

Regular Updates

Security patches applied regularly

Dependency Tracking

Automated vulnerability detection

hashtag
Security Response

  • Regular CVE vulnerability fixes from Dependabot alerts

  • Timely security patches for dependencies

  • Supply chain security monitoring

hashtag
17. Security Libraries

hashtag
Core Security Dependencies

Library
Version
Purpose

argon2-cffi

23.1.0

Password hashing

cryptography

44.0.1

Fernet encryption

Flask-WTF

1.2.1

CSRF protection

Flask-Limiter

3.7.0

Rate limiting

Flask-Cors

6.0.0

CORS management

pyotp

2.9.0

TOTP authentication

Flask-SQLAlchemy

3.1.1

SQL injection prevention

bcrypt

4.1.3

Legacy password support

hashtag
Security Architecture Diagram

hashtag
Summary

OpenAlgo implements comprehensive security controls across all application layers:

Layer
Controls

Network

CORS, CSP, Security Headers, Rate Limiting

Authentication

Argon2, TOTP, Session Security

Authorization

CSRF, API Key Verification

Data

Fernet Encryption, Input Validation

Database

SQLAlchemy ORM, Parameterized Queries

Monitoring

Traffic Logging, IP Banning, Audit Trails

Infrastructure

Docker Hardening, Non-Root User

Supply Chain

Dependabot CVE Monitoring

This document is maintained as part of OpenAlgo's security documentation. For security concerns, please report to the maintainers.

PreviousBan IPNextrelease

Last updated