Given a choice between dancing pigs and security, users will pick dancing pigs every time.
—Ed Felten and Gary McGraw
Security issues are often overlooked on smaller sites or low-traffic applications; unfortunately, the reach of the Web has expanded to a point where end-to-end security is essential on any public-facing web site. There actually are people with nothing better to do than run a distributed denial-of-service attack on “Aunt Edna’s Funny Cat Pictures.” Nobody can afford to ignore the dangers that face a site simply as a consequence of being accessible on the Internet.
In this chapter, we will take a top-down approach to examining the various security-related issues that plague web application developers. We start by examining the architectural, application-level principles you should keep in mind. Later, we will get progressively more detailed. We will examine the security-related issues you should keep in mind when working at a lower level in Rails.
First, we will examine some important principles that should guide the design of any web application.
The most important guideline in the area of authentication is simple:
Always salt and hash all passwords!
There are very few valid exceptions to this rule, and even fewer apply to web applications. The only possible reason to store passwords in plain text is if they must be provided to an external service in plain text. Even then, the passwords should be symmetrically encrypted ...