12 Security Checks to be performed before releasing a Rails App


When you upload your latest app to a production Web server and open it up to the world, you’re really throwing your app to the elements – good and bad. If you don’t pay any attention to security whatsoever, you’re likely to be spammed by some cracker’s nefarious scheme and your users will be complaining when something doesn’t work or they’re being spammed by Nigerian clowns with pots of gold to share. But what to do?

 12 Security Checks to be performed before releasing a Rails App

  1. Don’t trust logged in users. (Authentication is one thing, authorization to perform certain tasks is another.)

  2. Beware of mass assignments. (Use attr_accessible in your models!)

  3. Make some attributes un-editable with attr_readonly.

  4. Watch out for SQL injection vectors. (Raw SQL in your code is a smell worth investigating.)

  5. Prevent executable files from being uploaded.

  6. Filter sensitive parameters from the logs.

  7. Beware CSRF (Cross-Site Request Forgery) and use protect_from_forgery and csrf_meta_tag.

  8. Beware XSS (Cross-Site Scripting) and use the h helper in views (this is the default in Rails 3, luckily).

  9. Watch out for session hijacks.

  10. Avoid using redirects to user supplied URLs.

  11. Avoid using user params or content in the send_file method.

  12. Make non-ActionController methods private.

Source: Railscarma.com

Advertisements

One thought on “12 Security Checks to be performed before releasing a Rails App

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s