Skip to content
This repository
Browse code

Merge pull request #8581 from garysweaver/security_guide_update

Update security guide
  • Loading branch information...
commit 8ee1c26abcb39dded64c4dacb945292769392469 2 parents 48b40ec + d2b1584
Guillermo Iguaran guilleiguaran authored

Showing 1 changed file with 11 additions and 7 deletions. Show diff stats Hide diff stats

  1. +11 7 guides/source/security.md
18 guides/source/security.md
Source Rendered
@@ -94,17 +94,16 @@ Rails 2 introduced a new default session storage, CookieStore. CookieStore saves
94 94
95 95 * The client can see everything you store in a session, because it is stored in clear-text (actually Base64-encoded, so not encrypted). So, of course, _you don't want to store any secrets here_. To prevent session hash tampering, a digest is calculated from the session with a server-side secret and inserted into the end of the cookie.
96 96
97   -That means the security of this storage depends on this secret (and on the digest algorithm, which defaults to SHA512, which has not been compromised, yet). So _don't use a trivial secret, i.e. a word from a dictionary, or one which is shorter than 30 characters_. Put the secret in your environment.rb:
  97 +That means the security of this storage depends on this secret (and on the digest algorithm, which defaults to SHA512, which has not been compromised, yet). So _don't use a trivial secret, i.e. a word from a dictionary, or one which is shorter than 30 characters_.
98 98
99   -```ruby
100   -config.action_dispatch.session = {
101   - key: '_app_session',
102   - secret: '0x0dkfj3927dkc7djdh36rkckdfzsg...'
103   -}
104   -```
  99 +Newly generated applications get their `config.secret_key_base` (or in `environment.rb` in some past versions) initialized to a random key in `config/initializers/secret_token.rb`, e.g.:
  100 +
  101 + Posts::Application.config.secret_token = 'dkfj3927dkc7djdh36rkckdfzsg...'
105 102
106 103 There are, however, derivatives of CookieStore which encrypt the session hash, so the client cannot see it.
107 104
  105 +If you have received an application where the secret was exposed (e.g. an application whose source was shared), strongly consider changing the secret.
  106 +
108 107 ### Replay Attacks for CookieStore Sessions
109 108
110 109 TIP: _Another sort of attack you have to be aware of when using `CookieStore` is the replay attack._
@@ -959,6 +958,11 @@ Used to control which sites are allowed to bypass same origin policies and send
959 958 * Strict-Transport-Security
960 959 [Used to control if the browser is allowed to only access a site over a secure connection](http://en.wikipedia.org/wiki/HTTP_Strict_Transport_Security)
961 960
  961 +Environmental Security
  962 +----------------------
  963 +
  964 +It is beyond the scope of this guide to inform you on how to secure your application code and environments. However, please secure your database configuration, e.g. `config/database.yml`, and your server-side secret, e.g. stored in `config/initializers/secret_token.rb`. You may want to further restrict access, using environment-specific versions of these files and any others that may contain sensitive information.
  965 +
962 966 Additional Resources
963 967 --------------------
964 968

0 comments on commit 8ee1c26

Please sign in to comment.
Something went wrong with that request. Please try again.