14 Bare Minimum Security Checks Before Releasing a Rails App

When you upload your latest app to a production Web server and open it up to the world, you're really throwing your app to the elements - good and bad. If you don't pay any attention to security whatsoever, you're likely to fall foul of some cracker's nefarious scheme and your users will be complaining when something doesn't work or they're being spammed by geriatric Nigerian clowns with pots of gold to share. But what to do?

Luckily, help is at hand in the shape of the official Ruby on Rails Security Guide, but Irish Rails developer Matthew Hutchinson has trawled through that guide as well as several illuminating blog posts relating to Rails security, and put together a 14 step checklist of "bare minimum" security checks to do before releasing your Rails app.

In summary:

1. Don't trust logged in users. (Authentication is one thing, authorization to perform certain tasks is another.)
2. Beware of mass assignments. (Use attr_accessible in your models!)
3. Make some attributes un-editable with attr_readonly.
4. Watch out for SQL injection vectors. (Raw SQL in your code is a smell worth investigating.)
5. Prevent executable files from being uploaded.
6. Filter sensitive parameters from the logs.
7. Beware CSRF (Cross-Site Request Forgery) and use protect_from_forgery and csrf_meta_tag.
8. Beware XSS (Cross-Site Scripting) and use the h helper in views (this is the default in Rails 3, luckily).
9. Watch out for session hijacks.
10. Avoid using redirects to user supplied URLs.
11. Avoid using user params or content in the send_file method.
12. Make non-ActionController methods private.
13. Check your dependencies for security updates and patches.
14. Don't store passwords in the database as clear text.

Want more detail? Check out Matthew's article.

[ad] coder.io is a tagged developer news source. Want to subscribe to stories about Ruby but not Rails? Just use the query #ruby -#rails. Or how about Ruby screencasts?

Tweet This Post