Security is not an afterthought for Smart Inspect. This page explains the technical
measures in place to protect your account and your data.
Authentication
- Passwords are hashed using bcrypt with a strong work factor. We never store plain-text passwords.
- Sessions use secure, HTTP-only, SameSite=Lax cookies that cannot be accessed by JavaScript.
- Remember-me tokens are cryptographically signed and expire after 30 days.
- Email verification uses a time-limited signed token (24-hour expiry) to confirm account ownership.
- Password reset tokens expire after 1 hour and are single-use by design.
Access control
- All application routes except the landing page require authentication.
- Users can only access, download, or delete their own reports.
- Report ownership is enforced server-side on every request — not just in the UI.
Rate limiting
- Login attempts are limited to 15 per minute per IP address to slow brute-force attacks.
- Password reset requests are limited to 6 per minute per IP.
Transport
- All connections use HTTPS (TLS). HTTP connections are redirected automatically in production.
- HSTS is enforced on production deployments.
CSRF protection
All state-changing form submissions are protected with CSRF tokens generated by Flask-WTF.
Tokens are tied to the user session and expire after 1 hour.
Data isolation
Each user's reports are associated with their account ID. The server verifies ownership
before serving any file download, deletion, or listing request.
Reporting a vulnerability
If you discover a security issue in Smart Inspect, please report it responsibly by emailing
security@smartinspect.app. We will respond within 48 hours.
Please do not disclose vulnerabilities publicly until we have had a reasonable opportunity to address them.
This application is actively maintained. Security patches are applied as soon as vulnerabilities
are identified and verified.