Awesome Rails Security
A curated list of security resources for a Ruby on Rails application
Table of Contents
Gems
Authentication and OAuth
- Devise - Flexible authentication solution for Rails with Warden
- Devise Security - A Devise extension to add additional security features required by modern web applications
- Warden - General Rack Authentication Framework
- AuthLogic - An unobtrusive ruby authentication library based on ActiveRecord
- OmniAuth - A library that standardizes multi-provider authentication for web applications
- JWT - A ruby implementation of the RFC 7519 OAuth JSON Web Token (JWT) standard
- Knock - Seamless JWT authentication for Rails API
Authorization
- CanCanCan - An authorization library for Ruby and Ruby on Rails which restricts what resources a given user is allowed to access.
- Pundit - Pundit provides a set of helpers which guide you in leveraging regular Ruby classes and object oriented design patterns to build a simple, robust and scaleable authorization system
Rate Limiting
- ReCaptcha - A plugin that adds helpers for the reCAPTCHA API
Request Management
- Secure Headers - Manages application of security headers with many safe defaults
- Rack::Attack - Rack middleware for blocking & throttling
- ssrf_filter - A ruby gem for defending against Server Side Request Forgery (SSRF) attacks
Static Code Analysis
- Brakeman - A static analysis security vulnerability scanner for Ruby on Rails applications
- bundler-audit - Patch-level verification for Bundler
- Ruby Advisory Database - A database of vulnerable Ruby Gems. You can check your own Gemfile.locks against this database by using bundler-audit.
- RoboCop - A Ruby static code analyzer and formatter, based on the community Ruby style guide
- dawnscanner - A source code scanner designed to review your ruby code for security issues
File Upload
- CarrierWave - A gem that provides a simple and extremely flexible way to upload files from Ruby applications
Logging and Monitoring
- Exception Notification - A gem that provides a set of notifiers for sending notifications when errors occur in a Rack/Rails application
Password Strength
- zxcvbn-ruby - Ruby port of zxcvbn.js (Low-Budget Password Strength Estimation)
Tools
Static Code Analysis
- rails_best_practices - A code metric tool to check the quality of Rails code
- Hawkeye scanner-cli - A project security, vulnerability and general risk highlighting tool
- git-secrets - Prevents you from committing passwords and other sensitive information to a git repository
- Snyk - A developer-first solution that automates finding & fixing vulnerabilities in your dependencies
- GuardRails - Continuous security feedback for your GitHub repositories
- Hakiri - Hakiri monitors Ruby apps for dependency and code security vulnerabilities
Logging and Monitoring
- Sqreen - Unified security monitoring and protection for modern cloud & on-prem environments
- Report URI
Security Vulnerability Advisories
- Ruby on Rails: Security - A mailing list to get security announcements for Ruby, Rails, Rubygems, Bundler, and other Ruby ecosystem projects
- ruby-security-ann - Another mailing list to get security announcements for Ruby, Rails, Rubygems, Bundler, and other Ruby ecosystem projects
- Ruby-Lang - Security - A newsfeed for security vulnerabilities in the Ruby programming language
- Synk - Vulnerability DB
Resources
Official Resources
- Rails - Securing Rails Applications - This manual describes common security problems in web applications and how to avoid them with Rails
Labs - Vulnerable Applications
- OWASP RailsGoat - A vulnerable version of the Ruby on Rails Framework from versions 3 to 5. It includes vulnerabilities from the OWASP Top 10, as well as some "extras" that the initial project contributors felt worthwhile to share. This project is designed to educate both developers, as well as security professionals.
- DeleteMe - Educational insecure Rails application
- Checkmarx - Codebashing - Lessons on common vulnerabilities implemented in Rails. Lessons on SQL Injection, XXE and Stored XSS are free.
- PentesterLab - Provides some vulnerable Rails environments to learn about security vulnerabilities, such as CVE-2019-5420
Best Practices
- rails-bestpractices.com - A newsfeed of code snippets on what practices should and should not be done in Rails
- OWASP - Ruby on Rails Cheatsheet - A cheatsheet that intends to provide quick basic Ruby on Rails security tips for developers. It complements, augments or emphasizes points brought up in the rails security guide from rails core
- Preventing security issues in Ruby on Rails (based on OWASP cheatsheet)
- OWASP - Ruby on Rails Security Guide
- secure_rails
- Securing Sensitive Data in Rails
- production_rails
- Rails Security Checklist
- Zen Rails Security Checklist
- The Ruby Security Handbook
- Ruby on Rails Security: Best Practices
- Ruby on Rails Security Basics
- Ruby on Rails Security 17-Item Checklist
- Level Up Your Security in Rails
- Securing Ruby on Rails Web Applications
- Ruby on Rails Web Application Vulnerabilities: How to Make Your App Secure
- Rails Security Strategy Book
- Preproduction Security Checklist for a Rails App
- Ruby on Rails Security Guide
Anti-Patterns
- Rails' Insecure Defaults
- The Inadequate Guide to Rails Security
- Rails SQL Injection Examples
- Rails Vulnerabilities and Where to Find Them - Part 1
- Rails Vulnerabilities and Where to Find Them - Part 2
Additional Reading
- Attacking Ruby on Rails Applications
- The Evolution of Rails Security
- Rails Security: above and beyond the defaults
- Fixing Command Injection Vulnerabilities in Ruby/Rails
- Fixing File Access Vulnerabilities in Ruby/Rails
- Fixing SQL Injection Vulnerabilities in Ruby/Rails