Everyone writing code must be responsible for security. π
Start with the Rails Security Guide to see how Rails protects you.
-
Keep secret tokens out of your code -
ENV
variables are a good practice -
Even with ActiveRecord, SQL injection is still possible if misused
User.group(params[:column])
is vulnerable to injection. Learn about other methods
-
Use SecureHeaders - create an initializer with:
SecureHeaders::Configuration.configure do |config| config.x_xss_protection = {value: 1, mode: "block"} end
-
Protect all data in transit with HTTPS - add the following to
config/environments/production.rb
config.force_ssl = true
-
Protect sensitive data at rest with a library like attr_encrypted
-
Prevent host header injection - add the following to
config/environments/production.rb
config.action_controller.default_url_options = {host: "www.yoursite.com"} config.action_controller.asset_host = "www.yoursite.com"
-
Set
autocomplete="off"
for sensitive form fields, like credit card number -
Use a trusted library like Devise for authentication
-
Rate limit login attempts with Rack Attack
-
Rails has a number of gems for authorization - we like Pundit
-
Notify users of password changes and attempts to change email addresses
-
Ask search engines not to index pages with secret tokens in the URL
<meta name="robots" content="noindex, nofollow">
-
Ask the browser not to cache pages with sensitive information
response.headers["Cache-Control"] = "no-cache, no-store, max-age=0, must-revalidate" response.headers["Pragma"] = "no-cache" response.headers["Expires"] = "Sat, 01 Jan 2000 00:00:00 GMT"
-
If you still use
attr_accessible
, upgrade to strong_parameters
-
Brakeman is a great static analysis tool - it scans your code for vulnerabilities
-
bundler-audit checks for vulnerable versions of gems
To fix
Insecure Source URI
issues with thegithub
option, add to the top of yourGemfile
:git_source(:github) do |repo_name| repo_name = "#{repo_name}/#{repo_name}" unless repo_name.include?("/") "https://github.com/#{repo_name}.git" end
And run
bundle install
.
- CodeClimate provides a hosted version of static analysis
- HackerOne allows you to enlist hackers to surface vulnerabilities
Have other good practices? Know of more great tools? Help make this guide better for everyone.