Security & Access Model

BOL is designed with a zero-friction, profile-optional architecture that balances accessibility with data protection. There is no login wall — but user profiles are protected with credentials for those who choose to create them.

Open Access by Design

BOL is accessible to everyone without a login requirement. Every feature — simulation, dashboard, microscope, parameter sweeps — is fully functional for anonymous users. This ensures researchers, students, and curious minds can explore origin-of-life science without friction.

Access Level
Full Access — No login required

Optional User Profiles

Users who want to save configurations, track simulation history, or personalize their experience can create a profile. Profiles are protected by credentials (username and password) and are only accessible with valid authentication. Without a profile, BOL operates in a stateless, session-based mode.

Profile Security
Credential-Protected

Credential Storage

Passwords are never stored in plain text. BOL uses industry-standard one-way hashing (bcrypt with per-user salts) to protect credentials at rest. Even database compromise would not reveal user passwords. Session tokens are cryptographically random and time-limited.

Algorithm
bcrypt + per-user salt + time-limited sessions

Local-First Architecture

BOL runs locally on your machine. No data is sent to external servers. Simulation state, profile data, and configuration files stay on your local filesystem. This eliminates cloud-based attack vectors and ensures complete data sovereignty.

Data Residency
Local Only — 127.0.0.1

Input Validation

All API inputs are validated and sanitized server-side. Simulation parameters are type-checked and range-clamped. Scenario file names are restricted to an allow-list. JSON payloads are parsed safely with no eval() or code injection paths.

Protection
Type checking, range clamping, allow-list filtering

Privacy by Default

BOL collects no analytics, no telemetry, and no usage tracking. Profile data is visible only to the profile owner. There are no cookies beyond a session identifier (for profile users). Anonymous users leave no trace.

Tracking
Zero Tracking — No analytics, no telemetry

How Profiles Work

Creating a Profile

  • Navigate to the Profile page via the user icon in the top bar.
  • Choose a display name and set a password.
  • Your profile is stored locally and protected by your credentials.
  • No email or personal information is required.

Accessing Your Profile

  • Click the profile icon and enter your credentials to access your saved settings.
  • Profile sessions are time-limited and require re-authentication after expiry.
  • Multiple profiles can coexist on the same installation.

Anonymous Usage

  • All features work without a profile — no functionality is gated.
  • Anonymous sessions are ephemeral and leave no persistent data.
  • You can create a profile at any time to start saving your work.

Security Summary

Concern Mitigation Status
Unauthorized profile access Credential-based authentication with bcrypt hashing Protected
Data exfiltration Local-only architecture — no external network calls Mitigated
Injection attacks Server-side input validation, allow-list scenario filtering Mitigated
Session hijacking Cryptographically random tokens, time-limited sessions Protected
Password compromise One-way bcrypt hash with per-user salt — no plain text storage Protected
Privacy / tracking Zero analytics, zero telemetry, no external cookies By Design