Home

Awesome

Rails Security Checklist

This checklist is limited to Rails security precautions and there are many other aspects of running a Rails app that need to be secured (e.g. up-to-date operating system and other software) that this does not cover. Consult a security expert.

One aim for this document is to turn it into a community resource much like the Ruby Style Guide.

BEWARE this checklist is not comprehensive and was originally drafted by a Rails developer with an interest in security - not a security expert - so it may have some problems - you have been warned!

The Checklist (in no particular order)

Controllers

Routes

Views

URL Secret Tokens

IDs

Random Token Generation

Logging

Input Sanitization

Markdown Rendering

Uploads and File Processing

Email

Detecting Abuse and Fraud

Logins, Registrations

Passwords

Timing Attacks

Databases

Redis

Gems

Detecting Vulnerabilities

Software Updates

Test Coverage for Security Concerns

Cross Site Scripting

Developer Hardware

Public, non-production Environments (Staging, Demo, etc.)

Regular Expressions

Handling Secrets

Cookies

Headers

Assets

TLS/SSL

Traffic

Contacting Users

Regular Practices

Further Reading

Reminders

Contributors

Contributions welcome!