Skip to content

Issues: eliotsykes/rails-security-checklist

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Clear current search query, filters, and sorts
72 Open 3 Closed
72 Open 3 Closed
Author
Filter by author
Loading
Label
Filter by label
Loading
Use alt + click/return to exclude labels
or + click/return for logical OR
Projects
Filter by project
Loading
Milestones
Filter by milestone
Loading
Assignee
Filter by who’s assigned
Sort
Sort by
Newest Oldest Most commented Least commented Recently updated Least recently updated Best match
Most reactions
👍 👎 😄 🎉 😕 ❤️ 🚀 👀

Issues list

Add a spam-detection section
#8 opened Jan 6, 2017 by eliotsykes updated Jan 6, 2017
Add a DNS section on using multiple providers
#9 opened Jan 12, 2017 by eliotsykes updated Jan 12, 2017
Add a section on JSON, XML etc. leaky serialization insecure defaults
#10 opened Jan 12, 2017 by eliotsykes updated Jan 12, 2017
Contributions needed: Do you think we should be recommending certified gem?
#14 opened Jan 29, 2017 by eliotsykes updated Jan 29, 2017
Add a VCR section on filter_sensitive_data, checking authorization headers and binary response bodies are free of sensistive data, etc.
#16 opened Feb 13, 2017 by eliotsykes updated Feb 13, 2017
Include example defensive ApplicationControllers for popular auth gems
#17 opened Mar 29, 2017 by eliotsykes updated Apr 1, 2017
Add guideline about template strings and specifying type?
#18 opened Apr 13, 2017 by eliotsykes updated Apr 13, 2017
1
Guideline to review Devise initializer carefully
#22 opened Apr 17, 2017 by eliotsykes updated Apr 17, 2017
Consider guideline to favor server-side storage of session data
#23 opened Apr 18, 2017 by eliotsykes updated Apr 18, 2017
Favor Devise paranoid mode
#21 opened Apr 17, 2017 by eliotsykes updated Apr 19, 2017
4
Consider guideline to avoid JWT?
#24 opened Apr 18, 2017 by eliotsykes updated Apr 19, 2017
1
Mention Rails LTS in case of apps that will never be upgraded
#27 opened Apr 19, 2017 by eliotsykes updated Apr 19, 2017
Favor encrypted at rest database storage
#28 opened Apr 19, 2017 by eliotsykes updated Apr 19, 2017
The dangers of eval and command injection attacks
#29 opened May 11, 2017 by eliotsykes updated May 11, 2017
Clear session stores frequently (e.g. active record session store)
#30 opened May 15, 2017 by eliotsykes updated May 15, 2017
Consider adding guidelines on leaking minimal information on server-side technologies
#31 opened May 16, 2017 by eliotsykes updated May 16, 2017
Avoid submitting credit card and other form fields to your server when using payment integration like Stripe JS
#32 opened May 30, 2017 by eliotsykes updated May 30, 2017
Avoid leaking Devise tokens sent in mails to log files
#34 opened Jul 5, 2017 by eliotsykes updated Jul 5, 2017
Encrypt credentials (Rails 5.2) / secrets (Rails 5.1) in guidelines
#11 opened Jan 16, 2017 by eliotsykes updated Sep 25, 2017
1
Consider guideline for ENV passwords/tokens to be hashed and not in the plain
#35 opened Dec 6, 2017 by eliotsykes updated Dec 6, 2017
1
Mention Liquid insecure default: rendering does not escape interpolated variables
#38 opened Jan 4, 2018 by eliotsykes updated Jan 4, 2018
Consider configuring mail providers (e.g. Mailgun, Mailchimp) not to store, track and/or shorten sensitive URLs (e.g. reset password links, any URL with a token)
#36 opened Dec 20, 2017 by eliotsykes updated Jan 10, 2018
3
Things to lookout while choosing gems or libraries
#41 opened Jan 16, 2018 by NeoElit updated Jan 16, 2018
Protecting webhook endpoints
#42 opened Aug 17, 2018 by eliotsykes updated Aug 17, 2018
Mitigate window.opener exploits
#45 opened Sep 20, 2018 by eliotsykes updated Sep 20, 2018
ProTip! Adding no:label will show everything without a label.