The end of January saw a lot of security fixes in Rails. A good reminder to keep up with Rails security, for example by reading these articles:
Two factor authentication in Rails 4 with Devise, Authy and puppies
Add 2FA via SMS to your Rails app.
Find mixed content and other SSL problems with the new Security Panel Chrome in DevTools
Creating a Content-Security-Policy from scratch
There’s also a CSP header generator.
Great idea, when you complete the Google account security checkup, you’ll get an extra 2 GB for Google Drive.
Not migrated to strong parameters yet, here’s a rake task to help with that
Martin Fowler’s web security basics:
- Output encode all application data on output with an appropriate codec
- Use your framework’s output encoding capability, if available
- Avoid nested rendering contexts as much as possible
- Store your data in raw form and encode at rendering time
- Avoid unsafe framework and JavaScript calls that avoid encoding
(Highlights by me.)
Like this kind of articles?
Subscribe to hear about new Rails security resources first. Only helpful articles and guides. Monthly(ish) updates, no spam.
