Skip to content

Instantly share code, notes, and snippets.

Created May 21, 2013 07:19
  • Star 33 You must be signed in to star a gist
  • Fork 8 You must be signed in to fork a gist
Star You must be signed in to star a gist
Save xdite/5618045 to your computer and use it in GitHub Desktop.

Security is Hard

Massive Assignment

  • watch for ActiveRecord Relation, like has_many, has_many :through
  • watch for user_roles, `group_users
  • UPDATE action


  • use https://
  • use subdmoain
  • use different domain
  • Add Whitelist
  • don't use database attributes for admin?
  • 3rd party is an option github


  • remove match ':controller(/:action(/:id(.:format)))'
  • avoid match

HTML escape

  • watch for list, breadcrumb
  • break complexy HTML helper to partials
  • don't concat HTML in helper
  • watch for TinyMCE content
  • sanitize the tags


  • watch form search functions
  • actions with complex options, ex [:date],[:order],[:field]
  • actions with complex joins
  • avoid find_by_sql, count_by_sql

Opensource Project

  • replace secret_token.rb after cloing opensource project
  • release opensource project, set token in ENV['SECRET_TOKEN']
  • release opensource project, set .gitignore to secret_token.rb


  • watch for EDIT, UPDATE, DESTROY
  • using scopes filter to filter out illegal access as 404
  • use cancan to authorize resources


  • upgrade Rails version > 3.2.11
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment