Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Update security guide #8581

Merged
merged 1 commit into from Dec 21, 2012
Merged

Update security guide #8581

Changes from all commits
Commits
Show all changes
1 commit
Select commit
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Jump to
Jump to file
Failed to load files.
Diff view
Diff view
18 changes: 11 additions & 7 deletions guides/source/security.md
View file
Open in desktop
Expand Up @@ -94,17 +94,16 @@ Rails 2 introduced a new default session storage, CookieStore. CookieStore saves

* The client can see everything you store in a session, because it is stored in clear-text (actually Base64-encoded, so not encrypted). So, of course, _you don't want to store any secrets here_. To prevent session hash tampering, a digest is calculated from the session with a server-side secret and inserted into the end of the cookie.

That means the security of this storage depends on this secret (and on the digest algorithm, which defaults to SHA512, which has not been compromised, yet). So _don't use a trivial secret, i.e. a word from a dictionary, or one which is shorter than 30 characters_. Put the secret in your environment.rb:
That means the security of this storage depends on this secret (and on the digest algorithm, which defaults to SHA512, which has not been compromised, yet). So _don't use a trivial secret, i.e. a word from a dictionary, or one which is shorter than 30 characters_.

```ruby
config.action_dispatch.session = {
key: '_app_session',
secret: '0x0dkfj3927dkc7djdh36rkckdfzsg...'
}
```
Newly generated applications get their `config.secret_key_base` (or in `environment.rb` in some past versions) initialized to a random key in `config/initializers/secret_token.rb`, e.g.:

Posts::Application.config.secret_token = 'dkfj3927dkc7djdh36rkckdfzsg...'
Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

The text says config.secret_key_base, and the example secret_token. Is it correct?

Copy link
Contributor Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Good catch. Fixing now and trying to update a little.

Copy link
Contributor Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Fix in #8584

Let me know if that works. Thanks for the review!


There are, however, derivatives of CookieStore which encrypt the session hash, so the client cannot see it.

If you have received an application where the secret was exposed (e.g. an application whose source was shared), strongly consider changing the secret.

### Replay Attacks for CookieStore Sessions

TIP: _Another sort of attack you have to be aware of when using `CookieStore` is the replay attack._
Expand Down Expand Up @@ -959,6 +958,11 @@ Used to control which sites are allowed to bypass same origin policies and send
* Strict-Transport-Security
[Used to control if the browser is allowed to only access a site over a secure connection](http://en.wikipedia.org/wiki/HTTP_Strict_Transport_Security)

Environmental Security
----------------------

It is beyond the scope of this guide to inform you on how to secure your application code and environments. However, please secure your database configuration, e.g. `config/database.yml`, and your server-side secret, e.g. stored in `config/initializers/secret_token.rb`. You may want to further restrict access, using environment-specific versions of these files and any others that may contain sensitive information.

Additional Resources
--------------------

Expand Down