Eliot Sykes
Eliot Sykes
Consider guideline to invalidate any credentials received over plain HTTP. Consider sending courtesy email to account owner?
Set `rel="noopener noreferrer"` attribute on `` links More at: https://dev.to/ben/the-targetblank-vulnerability-by-example Consider if `link_to` and other `link_*` helpers should automatically set the `rel="noopener noreferrer"` attribute if `target` option is set to...
- Consider safelisting incoming requests by IP address. E.g. Stripe provide a list of IP addresses that your Stripe webhook endpoint could verify incoming requests against: https://stripe.com/docs/ips - Consider adding...
Mail providers (such as Mailgun & Mailchimp) are often setup to track all links in the emails that are sent through their servers. This means your provider may be logging...
This may surprise developers used to other templating engines used in Rails, but, at time of writing, Liquid does not behave like ERB/HAML templates in Rails where interpolated values are...
Say env is used to store an admin password: ``` ENV['ADMIN_PASSWORD'] = 'topsecret' ``` And authentication uses hashed value: ``` authenticated = ActiveSupport::SecurityUtils.secure_compare( ::Digest::SHA256.hexdigest(ENV.fetch('ADMIN_PASSWORD')), ::Digest::SHA256.hexdigest(params[:password]) ) ``` Perhaps favor storing...
Rails 5.2 is looking like it will replace encrypted secrets with encrypted credentials - see PR here: https://github.com/rails/rails/pull/30067 Rails 5.1 was released with an encrypted secrets feature: https://github.com/rails/rails/issues/25095 + PR:...
https://github.com/plataformatec/devise/commit/7acc7a6659834ccc6f15ab54685faf1dea41f47c
When using a payment integration like Stripe JS for taking credit card details, ensure that any HTML forms that contain the credit card number fields do not submit those fields...
Are these measures a worthwhile exercise? - Strip server version and any other revealing headers - Remove default `rails new`-generated assets from `public/` - Custom error pages that aren't the...