When you upload your latest App to a production Web server and open it up to the world, you’re really throwing your app to the elements – good and bad.
If you don’t pay any attention to security whatsoever, you’re likely to be spammed by some cracker’s nefarious scheme and your users will be complaining when something doesn’t work or they’re being spammed by Nigerian clowns with pots of gold to share. But what to do?
12 Security Checks to be performed before releasing a RailsApp
- Don’t trust logged in users. (Authentication is one thing, authorization to perform certain tasks is another.)
- Beware of mass assignments. (Use attr_accessible in your models!)
- Make some attributes un-editable with attr_readonly.
- Watch out for SQL injection vectors. (Raw SQL in your code is a smell worth investigating.)
- Prevent executable files from being uploaded.
- Filter sensitive parameters from the logs.
- Beware CSRF (Cross-Site Request Forgery) and use protect_from_forgery and csrf_meta_tag.
- Beware XSS (Cross-Site Scripting) and use the h helper in views (this is the default in Rails 3, luckily).
- Watch out for session hijacks.
- Avoid using redirects to user supplied URLs.
- Avoid using user params or content in the send_file method.
- Make non-ActionController methods private.