Greg Molnar - The state of security in Rails 8 - Rails World 2024

Rails 8 is introducing a built-in authentication generator that provides basic authentication features including password-based login and password reset flow

Active Record encryption provides strong built-in encryption for data at rest, with support for key rotation and both deterministic/non-deterministic encryption options

New built-in rate limiting functionality helps protect against automated attacks, with requests grouped by IP address by default and customizable configuration options

Security best practices recommendations:

• Own your authentication system rather than relying on third-party services
• Store audit logs in write-only tables that cannot be modified
• Use whitelist approach for authorization - lock down everything first then explicitly allow access
• Keep sensitive information out of application logs
• Maintain secure deployment flows and lock down SSH access

Tools available for Rails security:

• Brakeman for static code analysis and finding security issues
• Dependabot for vulnerability scanning
• Bundle audit for checking outdated/insecure dependencies
• Content Security Policy helpers
• Parameter filtering for sensitive data

Common security issues to watch for:

• Authorization problems remain the most common security vulnerability
• Credential stuffing attacks typically happen within 24 hours of password database leaks
• XSS attacks still occur despite Rails’ built-in protections

Rails maintenance policy provides security fixes for minor releases for 2 years after initial release

The Rails ecosystem has strong security focus with:

• Built-in protections against common vulnerabilities
• Active security community
• Regular security updates and CVE patches
• Tools for most security needs built into the framework