Security checks before releasing a Ruby on Rails Application

Contributed by Khurshidali Shaikh on 19 May 2011

When you upload your latest app to a production Web server and open it up to the world, you’re really throwing your app to the elements - good and bad. Your reputation is at stake .This blog post is about security checks before releasing an Application:

  1. Don’t trust logged in users. (Authentication is one thing, authorization to perform certain tasks is another)
  2. Always perform authentication and authorization on server side also. Its not enough just to hide certain links from the frontend and assume that the only allowed users will be accessing the same.
  3. Beware of mass assignments. (Use attr_accessible in your models!)
  4. Make some attributes un-editable with attr_readonly.
  5. Watch out for SQL injection vectors. (Raw SQL in your code is a smell worth investigating.)
  6. Prevent executable files from being uploaded.
  7. Filter sensitive parameters from the logs.
  8. Beware CSRF (Cross-Site Request Forgery) and use protect_from_forgery andcsrf_meta_tag.
  9. Beware XSS (Cross-Site Scripting) and use the h helper in views (this is the default in Rails 3, luckily).
  10. Watch out for session hijacks.
  11. Avoid using redirects to user supplied URLs.
  12. Avoid using user params or content in the send_file method.
  13. Make non-ActionController methods private.
  14. Check your dependencies for security updates and patches.
  15. Don’t store passwords in the database as clear text

To know more about our Ruby on Rails development and capabilities please visit our website

Visit us at to know more about our offerings.

Tags: , , ,

facebook comments:

Leave a Comment

Security Code: