eliotsykeseliotsykes
1363

Rails Security Checklist

screenshot of Rails Security Checklist
rails

:key: Community-driven Rails Security Checklist (see our GitHub Issues for the newest checks that aren't yet in the README)

Github

Overview

In the world of web development, maintaining security in your Rails application is paramount. The Rails Security Checklist provides a curated list of precautions that developers should consider implementing to bolster the security of their applications. Although it is not exhaustive, this checklist is a valuable starting point for anyone looking to strengthen their Rails app against potential vulnerabilities. This document aims to evolve into a community resource, guiding developers in adopting best practices and security measures.

With the goal of safeguarding against common threats, the checklist is structured across different aspects of a Rails application, including controllers, routes, views, and sensitive information handling. Each section offers actionable steps for developers to enhance their security posture effectively while acknowledging the importance of ongoing vigilance and consultation with security experts.

Features

  • Secure Default Callbacks: Enables secure default callbacks for ApplicationController and other abstract controllers to enhance security baseline.

  • Authentication and Authorization Checks: Enforces authentication and authorization callbacks on actions using tools like Devise and Pundit to protect sensitive endpoints.

  • CSRF Protections: Implements Cross-Site Request Forgery (CSRF) protections to guard against malicious attacks that might exploit authenticated sessions.

  • Defence-in-depth: Encourages performing authentication and authorization checks in routes.rb, promoting a layered security strategy.

  • Endpoint Protection: Ensures URL endpoints for mounted engines and Rack apps are secured appropriately to prevent leakage of sensitive information.

  • Server-side Comments: Advises against using HTML comments in view templates, promoting server-side comments to avoid exposing potentially sensitive information to clients.

  • Mitigation of Referer Header Leaks: Provides guidance on safeguarding URL secret tokens from leaking via Referer headers, protecting against third-party exposure.

  • Avoid Sequential IDs: Recommends avoiding the exposure of sequential IDs in URLs and APIs to prevent data leakage and forced browsing incidents, enhancing privacy and security for users.

rails
Ruby on Rails

Ruby on Rails, often referred to as Rails, is an open-source web application framework written in Ruby. Known for its convention over configuration and don't repeat yourself (DRY) principles, Rails simplifies and accelerates the development of database-backed web applications.