Rails security news and reading list #5

Were you surprised too? After 10 years Rails gets a new logo and more whitespace. Also, last week I slightly revised my article about the week with a Rails security strategy and put it up on Medium. Check out these new interesting Rails security links:

Each form can get its own CSRF token in Rails 5

How to get started with a Content-Security-Policy in Rails

Start with reports only, analyze them and then move to the real thing. Here’s a great intro to CSP.

Interesting stats about gem downloads last year

1.2M/month Rails 4, 200K/month Rails 3 and CanCanCan dominates the authorization layer (more popular than Pundit).

Why isn’t HTTPS everywhere yet?

1) Because of the effort to set it up (but now there’s Let’s Encrypt) and 2) because of Mixed content. This article describes an approach to fix that.

Rails security and strategy reading list #4

Happy 2016!

Here are a few articles from different categories that I found interesting in the past weeks. Now it also includes real-world vulnerabilities and hacks for us to learn from.

Security report: This security report reminds us to re-check passwords, IDs and more if the operation includes more than one step.

In this particular case, the password wasn’t re-checked when deleting a user after filling out a small survey after the initial password check.

Hack: An Instagram admin panel was leaked at the end of last year

Some don’t agree with the way it was reported. But it’s based on a hard-coded Rails secret token (from config/initializers/secret_token.rb) in a publicly accessible repository.

Development: The new Chrome development toolbar has security panel

It explains the lock icon and mixed content notifications.

Strategy check: Test your server response headers for the new security headers

The new securityheaders.io includes a scoring system.

Development: A reminder how to use Rails strong parameters

Rails and web security digest #3

Better for security, worse for UX: Prevent information leaking in Rails

As in how to turn off browser caching.

Firefox Nightly starts marking login-forms in HTTP as insecure

If your site has any kind of login section, you’ll want to switch to HTTPs.

A few things about Redis security

The Redis security model is: “it’s totally insecure to let untrusted clients access the system, please protect it from the outside world yourself”.

HTTP Public Key Pinning: Set which Certificate Authorities you accept

HTTP Public Key Pinning, or HPKP, is a security policy delivered via a HTTP response header much like HSTS and CSP.

Lightweight beta authorization Rails engine for the Resource Owner Password Credentials Grant OAuth 2.0 flow

“It’s built for usage in API projects”

Rails security gems, tutorials and tools #2

Rack-timesec gem

Rack middleware to prevent timing attacks

Ruby-SSLscanner gem

A simple and easy to use SSL Cipher scanner

Straightforward Rails Authorization with Pundit

This is a second article in the “Authorization with Rails” series.

Attacking Ruby on Rails Applications

Interesting attack paths and techniques for Rails 3 (and some for Rails 4) in one write up.

SMS Verification With Rails

SSL tools we wish we’d known about earlier

Here’s a couple of new tools, and a couple of different ways to use old tools, that the CertSimple team wish we knew about earlier.

Rails security digest #1

All questions answered about Cross-Site Request Forgery in Rails

Answers for example “what’s the difference between protect_from_forgery with: :null_session and :reset_session”.

Your Preproduction Checklist for Your Rails App

In this guest posting I wrote up what to check before putting a Rails app into production.

Hardening the CSP on report-uri.io

It’s pretty easy to get a basic CSP setup and issued on your site, but tightening up the policy can be tricky.

Straightforward Rails Authorization with Pundit

Fixing SQL Injection Vulnerabilities in Ruby/Rails

Statusify is a web-application status app, written entirely in Ruby