rails-security-checklist icon indicating copy to clipboard operation
rails-security-checklist copied to clipboard

Published 20 hours ago verified publisher icon eliotsykes

Consider adding guidelines on leaking minimal information on server-side technologies

Open eliotsykes opened this issue 8 years ago • 0 comments
trafficstars

Are these measures a worthwhile exercise?

  • Strip server version and any other revealing headers
  • Remove default rails new-generated assets from public/
  • Custom error pages that aren't the default Rails error pages
  • Avoiding default routes for engines such as Devise
  • Customize revealing meta tags such as CSRF token names?
  • Are cookie names/contents revealing?
  • Avoid default names and paths for assets, application.js, application.css

eliotsykes avatar May 16 '17 17:05 eliotsykes