Security Features
LabKey releases three major versions of the LabKey Server SDMS platform each year followed by subsequent maintenance releases. We encourage our users to always update to the most current release of LabKey Server to ensure they have the maximum protection against security risks. Below are just a few security features included in recent releases.
Authentication
User authentication is performed through LabKey Server’s core database authentication system by default. With Premium Editions of LabKey Server, other authentication methods including LDAP, SAML and CAS single sign-on protocols, and Duo two-factor authentication can also be configured. Premium Editions also support defining multiple configurations of each external authentication method.
User-Roles & Permissions
LabKey Server has a group- & role-based security model. This means that each user of the system belongs to one or more security groups, and can be assigned different roles (combinations of permissions) related to resources the system.
Cross-Site Request Forgery (CSRF) Protection
Beginning with version 19.1, LabKey Server enforces CSRF protection (requiring verification of a CSRF token) on all POST requests and, as of 19.3, it will detect all mutating operations and block them if they are attempted outside of a CSRF-protected POST request.
External Redirects Allowlist
LabKey Server restricts the host names that can be used in parameters that provide redirect URLs. By default, only redirects to the same LabKey instance are allowed. Other server host names must be added to the allow list by the administrator to allow them to be automatically redirected.
Antivirus Scanning (premium feature)
File uploads, attachments, archives and other content imported through the pipeline or webdav can now be scanned for viruses using ClamAV.