* Don't store passwords (config/database.yml, db/seeds.rb), API keys (Amazon AWS), the Rails secret token (config/initializers/secret_token.rb), etc in version control. * Don't store production passwords and API keys on developer laptops. * Inject secrets, API keys, etc with e.g. dotenv * Don't import production data to other environments without obfuscating or cleaning data. * Use a different secret token in production than staging, development, and other environments. * AR serialize and store (YAML) is using eval. Don't use YAML, use JSON. * Don't write redirect_to params[:url]. If you have to then add only_path: true, or use URI.parse to get the path component. * ActiveRecord is not safe from SQL injection. See http://rails-sqli.org for details. * Enforce password strength. * Set cookie timeout expire_after: 30.minutes. * Hash passwords before storing them in a database (has_secure_password). * Don't use GET for actions that change data (RequestForgeryProtection). * Uploaded files should be sanitized, name, path, etc. * Downloads of uploaded files should most likely be authorized (send_file , Downloads done right).
* secure_headers gem (Content Security Policy) * mod_security (Apache & nginx web application firewall) * rack::attack gem (Similar to mod_security) * bundler_audit gem (Checks Gemfile.lock for vulnerable gems)
* Ruby on Rails Security Guide * XSS (Cross Site Scripting) Prevention Cheat Sheet * Cross-Site Request Forgery (CSRF) Prevention Cheat Sheet * DOM based XSS Prevention Cheat Sheet * HTML5 Security Cheat Sheet * SQL Injection Prevention Cheat Sheet * Attack Surface Analysis Cheat Sheet * Ruby on Rails Cheatsheet * http://12factor.net/config * http://gauntlt.org/