O'Reilly logo

Advanced Rails by Brad Ediger

Stay ahead with the world's most comprehensive technology and business learning platform.

With Safari, you learn the way you learn best. Get unlimited access to videos, live online training, learning paths, books, tutorials, and more.

Start Free Trial

No credit card required

Chapter 5. Security

Given a choice between dancing pigs and security, users will pick dancing pigs every time.

—Ed Felten and Gary McGraw

Security issues are often overlooked on smaller sites or low-traffic applications; unfortunately, the reach of the Web has expanded to a point where end-to-end security is essential on any public-facing web site. There actually are people with nothing better to do than run a distributed denial-of-service attack on “Aunt Edna’s Funny Cat Pictures.” Nobody can afford to ignore the dangers that face a site simply as a consequence of being accessible on the Internet.

In this chapter, we will take a top-down approach to examining the various security-related issues that plague web application developers. We start by examining the architectural, application-level principles you should keep in mind. Later, we will get progressively more detailed. We will examine the security-related issues you should keep in mind when working at a lower level in Rails.

Application Issues

First, we will examine some important principles that should guide the design of any web application.

Authentication

The most important guideline in the area of authentication is simple:

          Always salt and hash all passwords!

There are very few valid exceptions to this rule, and even fewer apply to web applications. The only possible reason to store passwords in plain text is if they must be provided to an external service in plain text. Even then, the passwords should be symmetrically encrypted ...

With Safari, you learn the way you learn best. Get unlimited access to videos, live online training, learning paths, books, interactive tutorials, and more.

Start Free Trial

No credit card required