Application Security for Rails Engineers

Oleksii Vasyliev, Railsware

Application Security for Rails Engineers

Brought to you by Alexey Vasiliev, Railsware

Oleksii Vasyliev

Security

Company security areas

Web Application Security Basics

HTTP Headers

Content Security Policy (CSP)


    Content-Security-Policy: default-src 'self';
      img-src * data: blob:;
      media-src media1.com media2.com;
      script-src userscripts.example.com
            

Content Security Policy (CSP)


Rails.application.config.content_security_policy do |policy|
  policy.default_src :self
  policy.script_src :self, 'js.example.com'
  policy.style_src :self, :unsafe_inline
  policy.report_uri "/csp-violation-report-endpoint"
end
        

Content Security Policy (CSP)


content_security_policy do |policy|
  policy.default_src :self
  policy.img_src '*', :data, :blob
  policy.script_src :self, 'js.example.com'
  policy.frame_src :self, 'widget.example.com'
  policy.media_src :self, 'media.example.com'
end
        

UNSAFE-INLINE and UNSAFE-EVAL

Content Security Policy Report Only


Content-Security-Policy-Report-Only: default-src *;
  img-src * data: blob:;
  report-uri /csp-violation-report-endpoint/
        

Strict-Transport-Security

Strict-Transport-Security:
  max-age=31536000 ; includeSubDomains; preload

X-Frame-Options

X-Frame-Options: deny | sameorigin | allow-from: DOMAIN

More headers...

Cache-Control, Pragma and Expires

Ask the browser not to cache pages with sensitive information

response.headers['Cache-Control'] =
  'private, no-cache, no-store, max-age=0'
response.headers['Pragma'] = 'no-cache'
response.headers['Expires'] = '0'

Rails Default Headers

Web

Basics

Subresource Integrity

Subresource Integrity

javascript_include_tag :application,
  integrity: true, crossorigin: 'anonymous'

<script src="/assets/application.js"
integrity="sha-256-TvVUHzSfftWg1rcfL6TIJ0XKEGrgLyEq6lEpcmrG9qs="
crossorigin="anonymous"></script>
        

Registration form under attack!

Ruby/Rails

Cross-Site Request Forgery (CSRF)

protect_from_forgery with: :exception

ActiveSupport::SecurityUtils against timing attacks

ActiveSupport::SecurityUtils.secure_compare(a, b)

Backdoor code in gems (source)

Gems sandbox checking

Tools

Secret Datastores

SSH access

SSH access

Team

Building a healthy security culture

My message to companies that think they haven't been attacked is: You're not looking hard enough

James Snook

<Thank You!> Questions?

Contact information

QuestionsSlide