Rails security, strategy and config reading list #6

The end of January saw a lot of security fixes in Rails. A good reminder to keep up with Rails security, for example by reading these articles:

Two factor authentication in Rails 4 with Devise, Authy and puppies

Add 2FA via SMS to your Rails app.

Find mixed content and other SSL problems with the new Security Panel Chrome in DevTools

Chrome DevTools security panel

Creating a Content-Security-Policy from scratch

There’s also a CSP header generator.

Great idea, when you complete the Google account security checkup, you’ll get an extra 2 GB for Google Drive.


Not migrated to strong parameters yet, here’s a rake task to help with that


Martin Fowler’s web security basics:

  • Output encode all application data on output with an appropriate codec
  • Use your framework’s output encoding capability, if available
  • Avoid nested rendering contexts as much as possible
  • Store your data in raw form and encode at rendering time
  • Avoid unsafe framework and JavaScript calls that avoid encoding
(Highlights by me.)

Like this kind of articles?

Subscribe to hear about new Rails security resources first. Only helpful articles and guides. Monthly(ish) updates, no spam.

Unsubscribe at any time. Powered by ConvertKit