This gem takes the following steps to ensure security.
This gem uses auth tokens that are:
- changed after every request (can be turned off),
- of cryptographic strength,
- hashed using BCrypt (not stored in plain-text),
- securely compared (to protect against timing attacks),
- invalidated after 2 weeks (thus requiring users to login again)
These measures were inspired by this stackoverflow post.
This gem further mitigates timing attacks by using this technique.
But the most important step is to use HTTPS. You are on the hook for that.