Skip to content

lunalium/secure_rails

BranchesTags
 
 

Folders and files

NameName
Last commit message
Last commit date

Latest commit

 

History

11 Commits
README.md
README.md
 
 

Repository files navigation

Secure Rails

Everyone writing code must be responsible for security. 🔒

Start with the Rails Security Guide to see how Rails protects you.

Best Practices

  • Keep secret tokens out of your code - ENV variables are a good practice

  • Even with ActiveRecord, SQL injection is still possible if misused

    User.group(params[:column])

    is vulnerable to injection. Learn about other methods

  • Use SecureHeaders - create an initializer with:

    SecureHeaders::Configuration.configure do |config|
  config.x_xss_protection = {value: 1, mode: "block"}
end

  • Protect all data in transit with HTTPS - add the following to config/environments/production.rb

    config.force_ssl = true

  • Protect sensitive data at rest with a library like attr_encrypted

  • Prevent host header injection - add the following to config/environments/production.rb

    config.action_controller.default_url_options = {host: "www.yoursite.com"}
config.action_controller.asset_host = "www.yoursite.com"

  • Set autocomplete="off" for sensitive form fields, like credit card number

  • Use a trusted library like Devise for authentication

  • Rate limit login attempts with Rack Attack

  • Rails has a number of gems for authorization - we like Pundit

  • Notify users of password changes and attempts to change email addresses

  • Ask search engines not to index pages with secret tokens in the URL

    <meta name="robots" content="noindex, nofollow">

  • Ask the browser not to cache pages with sensitive information

    response.headers["Cache-Control"] = "no-cache, no-store, max-age=0, must-revalidate"
response.headers["Pragma"] = "no-cache"
response.headers["Expires"] = "Sat, 01 Jan 2000 00:00:00 GMT"

  • If you still use attr_accessible, upgrade to strong_parameters

Open Source Tools

  • Brakeman is a great static analysis tool - it scans your code for vulnerabilities

  • bundler-audit checks for vulnerable versions of gems

    To fix Insecure Source URI issues with the github option, add to the top of your Gemfile:

    git_source(:github) do |repo_name|
  repo_name = "#{repo_name}/#{repo_name}" unless repo_name.include?("/")
  "https://github.com/#{repo_name}.git"
end

    And run bundle install.

Services

  • CodeClimate provides a hosted version of static analysis
  • HackerOne allows you to enlist hackers to surface vulnerabilities

Additional Reading

Contributing

Have other good practices? Know of more great tools? Help make this guide better for everyone.

About

Rails security best practices

Resources

Readme
Activity

Stars

0 stars

Watchers

0 watching

Forks

0 forks
Report repository

Releases

No releases published

Packages

No packages published