condescendingly It includes encrypted secrets and supports JS package mangers for easier updates. That’s important too because of JS vulnerabilities.
Login/logout CSRF: Time to make them non-GET routes (you probably have already)
Rails GEMS Vulnerable to CSRF Show Vulnerability Disclosure in Open-Source Projects Needs a Re-Think
Used to Rails’ security? Check your plain Ruby code using Net::HTTP
Lots of web application security articles last week again. So here are the most interesting ones.
- Phillip shares a way to color-code the PRY console in a production environment. He always has 2 debugging consoles open side by side. One in production and one in development. You know what can happen.
- A good example of a postmortem for the Gitlab disaster, including the issue tickets. Similar steps might be needed after a security incident.
- The Mozilla Security Bytes podcast starts with an episode on the ContentSecurity-Policy.
- If you’re using Docker, there are now Docker secrets.
- And did you ever write a commit message “remove password”? You’re not alone. Don’t use it again, it might be a public repository.
These friends of Rails saw security updates last week:
- Jenkins released new versions after fixing several security issues, including a high one.
A short story about how encryption can go very wrong with a (Ruby) workflow we’re all guilty of using.
This time focusing on images and dangling markup. That’s when an attacker injects an <img> tag without closing it to extract the HTML of the rest of the page.
There are now „Not Secure“ warnings for insecure pages with password and credit card input fields in Chrome and Firefox 51.
Welcome! Also in 2017 we want to find the right mix of security information, vulnerabilities in Rails’ friends and browser news. Let’s see what was interesting this week:
https://maximadeportes.com/resumen-de-las-firmas-y-rumores-en-las-reuniones-invernales/ Important security updates
There were also several memory problems in the versions before.
Important security updates
Refererheader. Fix this on your site if you care about a second layer of defense.
Since Let’s Encrypt started, the adaption of HTTPS picked up speed. In Firefox the percentage of HTTPS page loads is now at 42%. Browsers also campaign for it. More & more of them mark forms with sensitive information as insecure. More about this in today’s interesting security news: