Skip to content
This repository has been archived by the owner on May 10, 2019. It is now read-only.

Latest commit

 

History

History
19 lines (15 loc) · 1.42 KB

basic-security.md

File metadata and controls

19 lines (15 loc) · 1.42 KB
Raw

Basic security for web applications

For a good quick overview, see the OWASP Top 10 list. Basically, don’t trust user input.

Rails-specific guidance

  • Don't construct HTML using strings in Ruby classes - always do it in the view and let Rails automatically escape it for you. If you must do it outside the view, make sure it is escaped, for example by using content_tag or ERB::Util.html_escape.
  • Don't call to_sym on strings - this can lead to memory exhaustion
  • Turn off YAML and XML request deserialisation - this is a major source of attacks and bugs. Here is an example of one such attack.
  • Use ActiveRecord’s built-in methods and SQL parameter sanitisation to avoid SQL injection
  • It is worth including Brakeman in the project's CI build. (An example for those who have access is the Signon build.) Be aware though that this does not substitute for awareness of security issues as it will not pick up everything.

It is worth familiarising yourself with the Ruby on Rails Security Guide.