Ruby on Rails Security Cheatsheet

This link has been bookmarked by 23 people . It was first bookmarked on 25 Sep 2007, by Joel Liu.

15 Jul 08

Maciej Szczytowski
rails security
07 Jul 08

dani-el
security rails reference cheatsheet howto guide
21 Mar 08

Ramon Tayag
cheatsheet rails security
09 Feb 08

Piotr Golabek
webapp_blogs
24 Jan 08

Dirk Jende-Holzmann
rails security
30 Dec 07

Carlos Rafael .
security rails rubyonrails programming reference development
09 Dec 07

Harjeet Singh
rails ruby security
- Ruby on Rails Security Cheatsheet
  
  Why security is important
  
  If you are not yet convinced why you should secure your application, read this.
  
  What can happen?
  
  CNBC Stock Trading Contest Hacked
  A new form of attacks: Tailor-made trojans
  Rails was at risk already once: Anatomy of an attack against 1.1.4
  How: Sniffing in an insecure network such as Wireless LAN, Internet café
  Countermeasures
  Encrypt the traffic using SSL (although HTTPS is slower). However, if parts of the web site are not encrypted, such as the login or index page, the cookie will be transmitted nevertheless. To instruct the browser only to send the cookie over encrypted HTTPS and never over normal HTTP, you have to include the following line in the environment file:
  ActionController::Base.session_options[:session_secure] = true
  Include additional information (user agent, IP address, …) in the cookie and verify it on each request. When saving the IP-address, you have to bear in mind that there are Internet access providers or large organizations that put their users behind proxies and these might change over the course of a session. Also, the attacker could be in the same local network and so both the victim and the attacker have the same external IP address.
- Ruby on Rails Security Cheatsheet
- 1 more annotations...
- - Ruby on Rails Security Cheatsheet
    
    Why security is important
    
    If you are not yet convinced why you should secure your application, read this.
    
    What can happen?
    
    CNBC Stock Trading Contest Hacked
    A new form of attacks: Tailor-made trojans
    Rails was at risk already once: Anatomy of an attack against 1.1.4
    How: Sniffing in an insecure network such as Wireless LAN, Internet café
    Countermeasures
    Encrypt the traffic using SSL (although HTTPS is slower). However, if parts of the web site are not encrypted, such as the login or index page, the cookie will be transmitted nevertheless. To instruct the browser only to send the cookie over encrypted HTTPS and never over normal HTTP, you have to include the following line in the environment file:
    ActionController::Base.session_options[:session_secure] = true
    Include additional information (user agent, IP address, …) in the cookie and verify it on each request. When saving the IP-address, you have to bear in mind that there are Internet access providers or large organizations that put their users behind proxies and these might change over the course of a session. Also, the attacker could be in the same local network and so both the victim and the attacker have the same external IP address.
    Create a new session when someone successfully logs in. Use reset_session to do that. However you have to copy all data from the old session to the new one (e.g. :user_id).
    Invalidate the session when someone logs out. For example session[:user_id] = nil
    Countermeasures
    Create a new session when someone successfully logs in (see above).
    
    Generators and plugins for authentication.
21 Nov 07

fourdee
Script Help Ruby on Rails
15 Nov 07

Joao Vitor Guimaraes
ruby security rubyonrails cheatsheet
14 Nov 07

A. D.
cheatsheet rails security
06 Oct 07

Jaroslaw Zabiello
cheatsheet rubyonrails security rails
27 Sep 07

pangel
rails security
25 Sep 07

Iecker
hacker
loopion loopion
security rails rubyonrails ruby cheatsheet programming reference documentation
jeremiah hester
cheatsheet rails ruby rubyonrails security reference programming imported
Joel Liu
rails security