InstaLab is designed for private, trusted network deployment and requires additional hardening before exposing to the internet.
The Flask API has NO authentication layer. All endpoints are publicly accessible. This includes:
- Triggering snapshot runs (
/api/run) - Accessing login status (
/api/logins) - Starting unfollow operations (
/api/unfollow/start) - Viewing follower/following data (
/api/run/<id>,/api/insights/*)
Recommendation: Deploy behind a reverse proxy with authentication (nginx/Caddy + SSO or basic auth), or implement API key validation.
- Set
DJANGO_SECRET_KEY(strong random value) - Set
DJANGO_DEBUG=False - Configure
DJANGO_ALLOWED_HOSTS - Set
INSTALAB_ENCRYPTION_KEY(required for encrypted login secrets) - Use HTTPS for all external access
- Restrict network access to trusted IPs/VPN
- Store secrets in
.env(never commit) - Rotate credentials if exposed
Store secrets in .env files (gitignored):
DJANGO_SECRET_KEY=your-random-50-char-secret
DJANGO_DEBUG=False
DJANGO_ALLOWED_HOSTS=yourdomain.com
INSTALAB_ENCRYPTION_KEY=base64-or-hex-secret- Logins live in Postgres
login_accountsand are encrypted at rest. - Passwords, TOTP seeds, challenge codes, and forced-reset passwords are encrypted using
INSTALAB_ENCRYPTION_KEY. - Session settings are stored in Postgres and cached in
/data/instalab/private.
- Session settings are not browser cookies.
- Treat
/data/instalab/privateas sensitive (same as passwords).
Option 1: Private LAN only (default)
- Expose UI/API only on a private network.
Option 2: Reverse proxy with auth (recommended)
location / {
auth_basic "InstaLab";
auth_basic_user_file /etc/nginx/.htpasswd;
proxy_pass http://localhost:8000;
}Option 3: VPN/Tailscale
- Expose only on a private tailnet.
- Postgres only.
- Do not expose DB to the public internet.
- Use strong passwords and rotate regularly.
- Run history –
runstable for unexpected snapshots - Unfollow actions –
unfollow_actionstable - Login changes –
login_accountstable - Proxy config –
configtable changes
- Worker logs and trace files are written to
/data/instalab/job_runs/job_<id>/. - Remove old job directories if storing long‑term.
If you discover a security vulnerability:
- Do NOT open a public issue
- Email the maintainer directly (see repository contact)
- Include repro steps and impact
Keep dependencies current:
pip list --outdated
npm outdatedThis security policy follows the same license terms as the InstaLab project.