Rails and web security digest #17

Since Let’s Encrypt started, the adaption of HTTPS picked up speed. In Firefox the percentage of HTTPS page loads is now at 42%. Browsers also campaign for it. More & more of them mark forms with sensitive information as insecure. More about this in today’s interesting security news:

Ruby method and class injection

Injecting Ruby method and class names. This is a pretty frequent „guest“ in my security code audits, so I wrote about it.

Is HTTP Public Key Pinning dead?

Opinion by Ivan Ristić about HTTP Public Key Pinning (HPKP) being too complicated and dangerous to implement.

Storing Passwords in a Highly Parallelized World

As password cracking methods get faster & faster, it might be time to move from bcrypt to Argon2. Ruby gem.

Authorization with Pundit

Reshaping web defenses with strict Content Security Policy

Interesting new tools and research about Content-Security-Policy

Is your database affected by CVE-2016-6662?

Are you affected by the latest MySQL critical vulnerability?

Two Factor Authentication

Screencast on how to add 2FA to your application

Moving towards a more secure web

Also Chrome will mark login screens as insecure if served over plain HTTP.

Like this kind of articles?

Subscribe to hear about new Rails security resources first. Only helpful articles and guides. Monthly(ish) updates, no spam.

Unsubscribe at any time. Powered by ConvertKit