October 23, 2019
About LabKey
Since our inception in 2003, security has been of the utmost importance to LabKey and our research partners. We take a proactive approach to improving the platform to overcome the ever-evolving cyber security challenges faced by companies in every industry.
At LabKey, security begins with educating our developers on avoiding security vulnerabilities through proper coding and best practices. Every feature is designed with security in mind, ensuring that only authorized users are able to view and modify data. Each release of LabKey Server undergoes extensive automated and manual testing to identify potential bugs and vulnerabilities before release. Additionally, we employ automated security scanners and regularly use independent cyber security firms to perform manual penetration testing of the platform. Detailed reports from these efforts are reviewed and any issues are quickly fixed.
Recently Added Security Features
LabKey releases three major versions of the LabKey Server platform each year followed by subsequent maintenance releases. We encourage our users to always update to the most current release of LabKey Server to ensure they have the maximum protection against security risks. Below are just a few security features included in recent releases.
Cross-Site Request Forgery (CSRF) Protection – Beginning with version 19.1, LabKey Server enforces CSRF protection (requiring verification of a CSRF token) on all POST requests and, as of 19.3, it will detect all mutating operations and block them if they are attempted outside of a CSRF-protected POST request. For more information on CSRF attacks, click here.
External Redirects Whitelist – LabKey Server restricts the host names that can be used in parameters that provide redirect URLs. By default, only redirects to the same LabKey instance are allowed. Other server host names must be whitelisted by administrator to allow them to be automatically redirected. For more information on unvalidated redirects, click here.
Antivirus Scanning (premium feature) – File uploads, attachments, archives and other content imported through the pipeline or webdav can now be scanned for viruses using ClamAV.
Vulnerability Management & Resolution
On rare occasions, we may identify or be notified of an issue that poses a security risk. When this occurs, the LabKey team promptly assesses the issue and determines a timeline for resolution based on the severity of the risk. After our initial assessment, we fix the identified vulnerabilities and deliver maintenance releases of the latest production version to our clients as soon as possible. Maintenance releases are also delivered for critical security issues and high priority bug fixes in older production versions of LabKey Server that are still in active use.