14 Bare Minimum Security Checks Before Releasing a Rails App
When you upload your latest app to a production Web server and open it up to the world, you're really throwing your app to the elements - good and bad. If you don't pay any attention to security whatsoever, you're likely to fall foul of some cracker's nefarious scheme and your users will be complaining when something doesn't work or they're being spammed by geriatric Nigerian clowns with pots of gold to share. But what to do?
Luckily, help is at hand in the shape of the official Ruby on Rails Security Guide, but Irish Rails developer Matthew Hutchinson has trawled through that guide as well as several illuminating blog posts relating to Rails security, and put together a 14 step checklist of "bare minimum" security checks to do before releasing your Rails app.
- Don't trust logged in users. (Authentication is one thing, authorization to perform certain tasks is another.)
- Beware of mass assignments. (Use
attr_accessiblein your models!)
- Make some attributes un-editable with
- Watch out for SQL injection vectors. (Raw SQL in your code is a smell worth investigating.)
- Prevent executable files from being uploaded.
- Filter sensitive parameters from the logs.
- Beware CSRF (Cross-Site Request Forgery) and use
- Beware XSS (Cross-Site Scripting) and use the
hhelper in views (this is the default in Rails 3, luckily).
- Watch out for session hijacks.
- Avoid using redirects to user supplied URLs.
- Avoid using user params or content in the
- Make non-ActionController methods private.
- Check your dependencies for security updates and patches.
- Don't store passwords in the database as clear text.
Want more detail? Check out Matthew's article.