Gradency

Security

An overview of how Gradency protects your account and your students' data.

Authentication

  • Passwords hashed with bcrypt (cost factor 12) — never stored or logged in plaintext.
  • Session tokens (JWT) live in HttpOnly, SameSite=Strict cookies. JavaScript cannot read them, so XSS attacks cannot exfiltrate sessions.
  • CSRF protection via the double-submit-cookie pattern: every mutating request requires a matching X-CSRF-Token header.
  • Login rate-limited to 5 attempts per minute per IP.
  • Changing your password immediately invalidates all existing sessions across devices.

Authorization

  • Every protected endpoint loads resources through a single ownership-verifying helper. Cross-user attempts return HTTP 404 (not 403) to avoid existence-leak side channels.
  • Admin endpoints require an explicit admin role check.
  • Comprehensive automated test suite enforces the cross-user contract on every release.

Data protection

  • All traffic to and from the Service is encrypted with TLS 1.3.
  • Daily backups stored in encrypted-at-rest object storage.
  • Database access requires authenticated connections inside our private network.

Input validation

  • All API inputs are validated by Pydantic schemas.
  • SQL queries are parameterized — SQL injection is prevented by design.
  • File uploads go through MIME validation, size caps, and chunked streaming (no full-file slurping).
  • Encrypted/password-protected PDFs are rejected at upload with a clear error.
  • Path-traversal attempts (../, URL-encoded variants, NUL bytes) are rejected at the route level.

Frontend hardening

  • Content-Security-Policy header restricts script and connection sources.
  • Math rendering (KaTeX) runs with trust: false; output sanitized through DOMPurify with a strict allowlist.
  • PDF rendering uses pdfjs-dist 4.x (CVE-2024-4367 patched).

Operational

  • Dependency CVEs monitored; security patches applied on a regular cadence.
  • Production environment requires explicit non-default secrets (the application refuses to boot otherwise).
  • Health endpoints (/health/live, /health/ready) for liveness and readiness probes.

Reporting a vulnerability

Found a security issue? We want to know — please use our contact page and pick the "Security disclosure" subject. Please give us reasonable time to respond before public disclosure; we treat security reports with priority.

What we don't claim

Gradency has not undergone formal third-party penetration testing or compliance certification (SOC 2, ISO 27001, etc.). For regulated environments (FERPA, HIPAA, etc.), self-hosting on infrastructure your institution controls is the recommended deployment model. Contact us for guidance.