Security Guidelines

Access Tokens

By default, signac-dashboard generates a new random access token that is required to log in to the dashboard. This protects your data from access by other users on multi-user systems. To reuse browser sessions (e.g. so you can modify/rerun the dashboard and reload the browser page), set both ACCESS_TOKEN and SECRET_KEY to different fixed strings in the config dictionary. Ensure that the file storing the token and key are not readable by other users on the system and choose strings that are not easily guessed by others.

Ports

By default, the signac-dashboard application only listens to HTTP requests from localhost, on port 8888. Running the signac-dashboard Flask server with a configuration that makes it publicly accessible presents a critical security risk. For example, user-implemented modules may not be safe-guarded against arbitrary code execution. To enable remote access, use secure port forwarding via SSH.

Searches with $where

The use of the $where operator in searches is disabled by default and must be explicitly enabled, in which case the dashboard is vulnerable against code-injection attacks.