Video: The World of Rails Security


What Rails provides

  • XSS protection, but make sure you know how it works
  • CSRF protection
  • Mass assignment protection with strong parameters in Rails 4
  • Encrypted session cookies in Rails 4
  • SQL injection protection by escaping
  • New default security HTTP headers

What it doesn’t provide

  • .html_safe doesn’t make a string safe
  • You’ll have to remember what context you’re in and encode according to it: j(), h(), json_escape(), …
  • Sessions are not server-side
  • Pre-Rails 4 session cookies can be decoded
  • No directory-traversal protection (until recently): render(params[:view]), send_file(params[:file])
  • SQL injection protection could be more strict
  • No rate limiting directly in Rails
  • Redirect could be more protected
  • No protocol filtering for links


  • Learn!
  • Some missing features can be found in gems
  • Static code analysis tools
  • Don’t fix vulnerabilities, prevent them from happening