Security aspects
This page explains how security is handled in FlexMeasures. This deals with encryption, authentication and authorization. For hosts, we also provide some best practices.
Data
A FlexMeasures server handles two types of data in its Postgres database - structural data (e.g. information about sites, assets, users) and time series data for energy consumption/generation, prices or weather. Read more on The FlexMeasures data model. There is also a Redis database with information about ongoing forecasting and scheduling jobs (stored in a queueing system).
How these Postgres and Redis databases are set up and protected is up to the host.
More crucial to this documentation is that each FlexMeasures server reads from and writes to the Postgres database according to strict authentication and authorization rules. Much of the remainder of this page describes how this is implemented.
Finally, when sending data back and forth between clients (e.g. browsers) and the server, the FlexMeasures application communicates all data with HTTPS, the Hypertext Transfer Protocol encrypted by Transport Layer Security. This is used even if the application is accessed via http://.
Authentication
Authentication is the system by which users tell the FlexMeasures platform that they are who they claim they are. This involves a username/password combination (“credentials”) or an access token.
No user passwords are stored in clear text on any server - the FlexMeasures platform only stores the hashed passwords (encrypted with the bcrypt hashing algorithm). If an attacker steals these password hashes, they cannot compute the passwords from them in a practical amount of time.
In the API, access tokens are used so that the sending of usernames and passwords is limited (even if they are encrypted via https, see above) when dealing with the part of the FlexMeasures platform which sees the most traffic: the API functionality. Tokens thus have use cases for some scenarios, where developers want to treat authentication information with a little less care than credentials should be treated with, e.g. sharing among computers. However, they also expire fast, which is a common industry practice (by making them short-lived and requiring refresh, FlexMeasures limits the time an attacker can abuse a stolen token). At the moment, the access tokens on FlexMeasures platform expire after six hours. Access tokens are encrypted and validated with the sha256_crypt algorithm, and the functionality to expire tokens is realised by storing the seconds since January 1, 2011 in the token. The maximum age of access tokens in FlexMeasures can be altered by setting the env variable SECURITY_TOKEN_MAX_AGE to the number of seconds after which tokens should expire.
In the UI, FlexMeasures uses two-factor authentication (2FA). This means that the knowledge of the password to your FlexMeasures account is not sufficient to gain access ― you also need a second piece of knowledge, which requires you to also have access to an independent system or device (e.g. a token sent to your email address).
Note
Authentication (and authorization, see below) affects the FlexMeasures API and UI. The CLI (command line interface) can only be used if the user is already on the server and can execute flexmeasures commands, thus we can safely assume they are admins.
Best security-practices for hosts
Use the
TRUSTED_HOSTSsetting (see the Flask docs on the configuration and on the topic of host header validation) to specify on which hosts the platform is actually being provided. As an example for why this is valuable: FlexMeasures constructs URLs, e.g. for password reset links. Client code could set its ownHostrequest header to make these URLs lead to a different server. If the client “poisons” the URLs for its own users this way, they are using the user’s trust in the FlexMeasures host platform to hack them. List your own domain in this setting, but also the IP of your load balancer, if you are using one.