Security notes

Web programming can be tricky - there are many ways in which attackers can find holes in a system, the application is accessible to anyone on the web. Rails has a number of defaults to mitigate this, but as a developer, you still need to be aware.

Some notes and links.

Lists

• Rails security guide (Rails guide)
• Rails cheat sheet at OWASP
• Rails insecure defaults (2013)

Specific issues

• Don't pass arbitrary URLs to redirect_to
• Don't put config in code - not the secret_token (we do now)

Check!

• Brakeman security scanner for Rails source code