Rails security reading list, vulnerabilities and browser news (? edition)

Welcome! Also in 2017 we want to find the right mix of security information, vulnerabilities in Rails’ friends and browser news. Let’s see what was interesting this week:

Several ‘exotic’ security HTTP headers tested

Saves you some time to try out all configuration options.

Invisible Captcha: Spam protection gem

It’s based on the honeypot strategy. That means you know it’s a spam bot if the invisible field is filled out.

Another Rails security checklist


CSRF vulnerability in rails_admin gem


Tool to detect TLS/SSL vulnerabilities and versions

This is probably only useful if you can’t use the Qualys SSL Server Test. For example in a restricted environment.

Version handling differences between RubyGems and npm

If you’re using both Node and Ruby, you might find this guide interesting.

New Content-Security-Policy (CSP) directive require-sri-for coming to Chrome

Subresource Integrity (SRI) is a mechanism by which user agents may verify that fetched scripts/styles have been delivered without manipulation. This CSP directive allows developers to require SRI for certain types of resources.

Important security updates

[ImageMagick] Critical buffer overflow vulnerability before version 7.0.2-7.
There were also several memory problems in the versions before.

Like this kind of articles?

Subscribe to hear about new Rails security resources first. Only helpful articles and guides. Monthly(ish) updates, no spam.

Unsubscribe at any time. Powered by ConvertKit