Password storage
- Passwords are hashed with bcrypt (10 rounds) before storage.
- Plaintext passwords are never stored.
- Passwords are never logged, displayed in debug output, or included in support requests.
Session lifetime
- Sessions are JWT-based.
- Session tokens expire after 7 days of inactivity.
- Active sessions refresh the token every 24 hours.
- Cookies are marked
HttpOnly,SameSite=Lax, andSecurein production.
Rate limiting
To protect against brute-force attacks, the following endpoints are rate-limited per IP address:
- Login attempts: 10 per 15 minutes
- Registration: 5 per hour
- Upload initiation: 30 per 15 minutes
Exceeding these limits returns HTTP 429 with a Retry-After header.
If you forget your password
Password reset flows are planned in a future release. For now, contact an administrator to have your password reset or your account recreated.
Signing out
Sign out from any page using the account menu. Signing out invalidates the current session cookie on the server.
Security best practices
- Use a unique password for QOOM, not reused from other services.
- Use a password manager.
- Do not share your account with colleagues — create separate accounts instead, so each action is attributable in the audit log.
- Report any suspected compromise immediately.