Rails security, strategy and config reading list #6

The end of January saw a lot of security fixes in Rails. A good reminder to keep up with Rails security, for example by reading these articles:

Two factor authentication in Rails 4 with Devise, Authy and puppies

Add 2FA via SMS to your Rails app.

Find mixed content and other SSL problems with the new Security Panel Chrome in DevTools

Chrome DevTools security panel

Creating a Content-Security-Policy from scratch

There’s also a CSP header generator.

Great idea, when you complete the Google account security checkup, you’ll get an extra 2 GB for Google Drive.


Not migrated to strong parameters yet, here’s a rake task to help with that


Martin Fowler’s web security basics:

  • Output encode all application data on output with an appropriate codec
  • Use your framework’s output encoding capability, if available
  • Avoid nested rendering contexts as much as possible
  • Store your data in raw form and encode at rendering time
  • Avoid unsafe framework and JavaScript calls that avoid encoding
(Highlights by me.)

Rails security news and reading list #5

Were you surprised too? After 10 years Rails gets a new logo and more whitespace. Also, last week I slightly revised my article about the week with a Rails security strategy and put it up on Medium. Check out these new interesting Rails security links:

Each form can get its own CSRF token in Rails 5

How to get started with a Content-Security-Policy in Rails

Start with reports only, analyze them and then move to the real thing. Here’s a great intro to CSP.

Interesting stats about gem downloads last year

1.2M/month Rails 4, 200K/month Rails 3 and CanCanCan dominates the authorization layer (more popular than Pundit).

Why isn’t HTTPS everywhere yet?

1) Because of the effort to set it up (but now there’s Let’s Encrypt) and 2) because of Mixed content. This article describes an approach to fix that.

Rails security and strategy reading list #4

Happy 2016!

Here are a few articles from different categories that I found interesting in the past weeks. Now it also includes real-world vulnerabilities and hacks for us to learn from.

Security report: This security report reminds us to re-check passwords, IDs and more if the operation includes more than one step.

In this particular case, the password wasn’t re-checked when deleting a user after filling out a small survey after the initial password check.

Hack: An Instagram admin panel was leaked at the end of last year

Some don’t agree with the way it was reported. But it’s based on a hard-coded Rails secret token (from config/initializers/secret_token.rb) in a publicly accessible repository.

Development: The new Chrome development toolbar has security panel

It explains the lock icon and mixed content notifications.

Strategy check: Test your server response headers for the new security headers

The new securityheaders.io includes a scoring system.

Development: A reminder how to use Rails strong parameters

Rails and web security digest #3

Better for security, worse for UX: Prevent information leaking in Rails

As in how to turn off browser caching.

Firefox Nightly starts marking login-forms in HTTP as insecure

If your site has any kind of login section, you’ll want to switch to HTTPs.

A few things about Redis security

The Redis security model is: “it’s totally insecure to let untrusted clients access the system, please protect it from the outside world yourself”.

HTTP Public Key Pinning: Set which Certificate Authorities you accept

HTTP Public Key Pinning, or HPKP, is a security policy delivered via a HTTP response header much like HSTS and CSP.

Lightweight beta authorization Rails engine for the Resource Owner Password Credentials Grant OAuth 2.0 flow

“It’s built for usage in API projects”

Rails security gems, tutorials and tools #2

Rack-timesec gem

Rack middleware to prevent timing attacks

Ruby-SSLscanner gem

A simple and easy to use SSL Cipher scanner

Straightforward Rails Authorization with Pundit

This is a second article in the “Authorization with Rails” series.

Attacking Ruby on Rails Applications

Interesting attack paths and techniques for Rails 3 (and some for Rails 4) in one write up.

SMS Verification With Rails

SSL tools we wish we’d known about earlier

Here’s a couple of new tools, and a couple of different ways to use old tools, that the CertSimple team wish we knew about earlier.

Rails security digest #1

All questions answered about Cross-Site Request Forgery in Rails

Answers for example “what’s the difference between protect_from_forgery with: :null_session and :reset_session”.

Your Preproduction Checklist for Your Rails App

In this guest posting I wrote up what to check before putting a Rails app into production.

Hardening the CSP on report-uri.io

It’s pretty easy to get a basic CSP setup and issued on your site, but tightening up the policy can be tricky.

Straightforward Rails Authorization with Pundit

Fixing SQL Injection Vulnerabilities in Ruby/Rails

Statusify is a web-application status app, written entirely in Ruby

A week with a Rails Security Strategy (and page update)

Two things, a page update and my new article “A week with a Rails Security Strategy“.

Page update: This site hasn’t been very active recently, I’m working to make it more useful. Enter your e-mail in the header to notify you when it’s ready.

I published a new article “A week with a Rails Security Strategy” on my site:

You’re a busy person. Security is not a very visible feature in most applications, and so sometimes it’s not a priority. Of course you know it’s important, but how can you fit it into your busy schedule?

The answer may be in the power of habits and a Rails security strategy