The feature came in with this pull request and was inspired by the sekrets gem. This allows you to commit encrypted production secrets. The encryption happens using a master key which will live in an env var (production). Or in a git-ignored file (development). This video explains the process.
They fixed it within 5 hours, but the pitfalls of the JS postMessage API might live in your code, as well. In short: Specify which origin may receive the message and validate the origin on the other side.
Used to Rails’ security? Check your plain Ruby code using Net::HTTP
The long discussion here makes clear (again) that we’ve to take good care of user input and Net::HTTP. Hint: Line breaks lead to HTTP header injection.
The recent memory leak in Cloudflare showed various secrets to random visitors of these sites. Also, read these pragmatic thoughts about #Cloudbleed.
But 1Password shows us how important it is to think about the worst-case scenario. They use a Secure Remote Password protocol where the client and server prove their identity to each other.
But also read the pragmatic thoughts of Linus Torvalds about the matter.
Like this kind of articles?
Subscribe to hear about new Rails security resources first. Only helpful articles and guides. Monthly(ish) updates, no spam.
