Everyone writing code must be responsible for security. 🔒

Start with the Rails Security Guide to see how Rails protects you.

• Keep secret tokens out of your code - ENV variables are a good practice

• Even with ActiveRecord, SQL injection is still possible if misused

  User.group(params[:column])

  is vulnerable to injection. Learn about other methods

• Use SecureHeaders - create an initializer with:

  SecureHeaders::Configuration.configure do |config|
    config.x_xss_protection = {value: 1, mode: "block"}
  end

• Protect all data in transit with HTTPS - add the following to config/environments/production.rb

  config.force_ssl = true

• Protect sensitive data at rest with a library like attr_encrypted

• Prevent host header injection - add the following to config/environments/production.rb

  config.action_controller.default_url_options = {host: "www.yoursite.com"}
  config.action_controller.asset_host = "www.yoursite.com"

• Set autocomplete="off" for sensitive form fields, like credit card number

• Use a trusted library like Devise for authentication

• Rate limit login attempts with Rack Attack

• Rails has a number of gems for authorization - we like Pundit

• Notify users of password changes and attempts to change email addresses

• Ask search engines not to index pages with secret tokens in the URL

  <meta name="robots" content="noindex, nofollow">

• Ask the browser not to cache pages with sensitive information

  response.headers["Cache-Control"] = "no-cache, no-store, max-age=0, must-revalidate"
  response.headers["Pragma"] = "no-cache"
  response.headers["Expires"] = "Sat, 01 Jan 2000 00:00:00 GMT"

• If you still use attr_accessible, upgrade to strong_parameters

• Brakeman is a great static analysis tool - it scans your code for vulnerabilities

• bundler-audit checks for vulnerable versions of gems

  To fix Insecure Source URI issues with the github option, add to the top of your Gemfile:

  git_source(:github) do |repo_name|
    repo_name = "#{repo_name}/#{repo_name}" unless repo_name.include?("/")
    "https://github.com/#{repo_name}.git"
  end

  And run bundle install.

• CodeClimate provides a hosted version of static analysis
• HackerOne allows you to enlist hackers to surface vulnerabilities

• Rails’ Insecure Defaults
• The Inadequate Guide to Rails Security
• The Matasano Crypto Challenges

Have other good practices? Know of more great tools? Help make this guide better for everyone.