Rails and web security reading (with Gmail security lessons learned) #9

So what did the Gmail team learn while protecting their app?
  • “Prevent vulnerabilities through product design”
  • “Empower users to take action through a meaningful feedback UI”
  • “Any defense can be defeated – use defense in depth with multiple layers of protection”
  • “Detection systems are imperfect – implement catch-up mechanisms”
  • “Make it hard for attackers to understand your defenses”
  • “Implement an emergency system“ as a last resort
And now for other interesting reads:

Let’s Encrypt & Nginx

Set up Let’s encrypt, nginx and security headers

How I got XSS’d by my ad network

XSS from ad networks on a security researcher’s blog

The misunderstood X-XSS-Protection

Rails sends the recommended setting by default, but an interesting read.

Secure websites shun HTTP Public Key Pinning

HTTP Public Key Pinning not widely adopted, also because a small mistake could wipe out an online business

Uber bug bounty: Turning self-XSS into good-XSS

How self-XSS can still be used to affect other users

Like this kind of articles?

Subscribe to hear about new Rails security resources first. Only helpful articles and guides. Monthly(ish) updates, no spam.

Unsubscribe at any time. Powered by ConvertKit