CSC/ECE 517 Fall 2014/ch1a 23 ss
Security Features in Rails 4.x
This wiki aims to highlight all the security features in a popular web application framework: Rails 4.x
Threats Against Web Applications
The threats against web applications include
user account hijacking
Session Hijacking
Vulnerabilities
Session Hijacking -Replay Attacks for CookieStore Sessions
Guide to Mitigation -Do not store large objects in a session. -Critical data should not be stored in session.
bypass of access control
reading or modifying sensitive data
presenting fraudulent content
Trojan horse
Security Enhancements
CSRF via Leaky #match Routes
Regular Expression Anchors in Format Validations
Clickjacking
User-Readable Sessions
Unresolved Issues
Verbose Servers Headers
Binding to 0.0.0.0
Versioned Secret Tokens
Logging Values in SQL statements
Offsite Redirects
Reference
http://blog.codeclimate.com/blog/2013/03/27/rails-insecure-defaults/