Find file
Fetching contributors…
Cannot retrieve contributors at this time
24 lines (22 sloc) 927 Bytes

Securing Your Rails App

  • Rails is a fairly safe framework
  • We normally provide features, not prohibiting something
  • #TODO
  • #TODO
  • Trust no one
    • Don't trust the browser
    • DB: user entered data
  • attr_accessible (whitelist), attr_protected (blacklist)
  • a lesson in timing attacks ( #TODO
  • XSS so'ns
    • Don't use raw, unless you have a good reason.
    • Don't blacklist or try to correct suspicious code
    • Rails: sanitize() helper, lets you give allowed tags
  • Look more at CanCan #TODO
  • Look more at FireSheep #TODO
  • SSL for more than login forms
    • Secure cookies
    • Strict-Transport-Security header (basically redirects to SSL), avoids a redirect that contains the cookie
  • Big takeaway: upgrading to Rails 3 includes lots of security changes
  • Security audit #TODO