I'm looking at Rails and am about to learn to create users plus authentication. I was wondering how you know, as a beginner, if the tutorial being followed or the techniques you're using are sufficient enough for safe public use?
Is there a set of standards that are generally accepted as safe? Is it easier to make databases safe than I think it is?
What if you want to build a payments feature, how can you know if that's secure without being an expert in security?
Here's a list of things to check in your application before putting it into production:
Chances are you're using Devise for authentication. That's a very good start. Not directly related to authentication, but make sure you don't store any secrets in the session (session[…] in Rails). Also be aware that there are replay attacks (see Rails security guide, replay attack section), so think about what you store in the session.
Depending on the size of your application, but if growing, use an authorization gem like CanCanCan or Pundit. That works usually very well, and there are many example applications. However, when you'll have several layers of ownership (like projects/2/documents/5), make sure that not only the parent object belongs to this user (project 2 belongs to this current user in the example), but also that this child object belongs to the parent object (document 5 belongs to project 2 in the example). This type of check is a common problem.
SSL: If you use HTTPS, and a serious application probably should, then make sure it's used everywhere, it's HTTPS-only and check the server configuration via SSLlabs.
HTTP headers: Make sure you understand what the default HTTP headers do that are sent with Rails, see in the Rails security guide, section 9 Default headers.
Routes: Don't use the default route: match ':controller(/:action(/:id(.:format)))' and make sure all routes are available only via one HTTP verb. This also serves as a CSRF protection. URLs which are more like a question should be HTTP GET, actions that change the state of the app should be non-GET. See the routing Rails guide.
Database configuration: The 2 most important steps: Make the DB server only accessible on localhost (search google mysql only localhost). And restrict the rights of the Rails DB user at the DB level with the GRANT SQL syntax (search for "mysql grant").
Logging: Don't log secrets in your log files, add Rails.application.config.filter_parameters to your configuration and include attributes like :password.
This is a very broad topic, but you probably know already that Rails automatically escapes "unsafe" strings in views, so everything that comes from the user or from the database. Be very careful when using the raw() method or if you're constructing HTML yourself in a method. Everything that comes from the user is potentially a security risk. This is, in fact, the number one reason accounts get "hacked".
Don't use params directly or indirectly with the render() method.
Are you using respond_to in your controllers? If so, check every action whether it responds to the .xml or .json version because it might be too much information you're rendering here. Whenever you call model.to_xml or model.to_json (also indirectly via respond_with) you might be leaking secrets or just too much.
When using redirect_to, make sure you don't use the user params directly, also not parts of it. If you need to redirect dynamically, make a whitelist of all allowed targets or check with a regular expression, e.g. params[:back_url] =~ %r(\A#{home_url})
Your application should be safe against CSRF, read about it (see Rails security guide, CSRF section) and try to exploit it yourself by tampering with the authenticity token that you'll find in every Rails form.
An uploaded file could contain something else than the file extension indicated (an HTML comment in a PNG image is a famous example). Make sure you validate the allowed content types (e.g. only PNG allowed) and send files as attachments if possible (see the send_file method, :disposition option). The best option is to store the uploaded files on a different server, just in case there would be XSS in the file.
Regular expressions: Don't use ^ and $ to match the beginning and end of a string, use \A, \z instead.
Secrets: You've three options to store values: Clear text, cryptographic hashes (one-way, the original text can't be retrieved anymore), encrypted values. Passwords should be stored in a hashed form (Devise does that for you), any other secret field should be encrypted (for example with attr_encrypted) for the very worst case.
Rails does a good job of preventing SQLi, but you've to remember a few things: * Never use user-supplied values in string inflection like User.delete_all("id = #{params[:id]}") * Check your code for all other examples at http://rails-sqli.org/
Make sure you've as little to do with it as possible if you're a beginner. Use a gem and a payment provider, they make sure the payment details never travel through your server.
I'd recommend staying up-to-date, testing the security constantly yourself, develop your own security policy, be prepared for the worst case and run some automatic security checks. Some tips how to deal with all that while you've no time, I've summarized here. Then you're getting closer and closer to a production-ready application.
You can read these article and build up confidence with own self.
As mentioned by Sergio Tulentsev in the comments, making a (production) Rails app secure against real-world threats requires strong expertise.
Now, if you are in a learning process and would like to understand what could make your app vulnerable and how you could address each and every concern, I recommend you go through one of the following security checklists:
Pretty much any web service application uses the same security protocol, in other words, a user has to enter a password to access their stuff, some have implemented 2-step authentication – which indeed helps a lot.
Depending on what you build, everything follows some core infrastructure for security.
Even websites like Facebook and Google are hacked. Some software is reverse engineered.
I once wondered: Can you do something about hackers? The answer is no. Except fix bugs and security holes in your software and hope for the best.
Even the most top experts on computer security cannot do much.
A quick Google search gave me this:
Techniques to Secure Your Website with Ruby On Rails (Part 1)
@darkace: Here’s some additional advice, if you want to build your dream web service, just go for it. Facebook was built with poor security, in the early days, they stored un-hashed passwords into *.txt files. And anyone who somehow could access the ROOT directory has all of the suddenly access to both passwords, and e-mails of users, not Facebook employees.
Today however, Facebook is a billion dollar company, has hired a lot of security experts and has boosted and secured its server infrastructure.
Once your application service is generating cash, you can invest to secure it. Do not worry too much about it now. No hacker in the world cares about your application. You are too small for now, but if you ever grow and make millions from it, hackers will come after your software.
