We can't find the internet
Attempting to reconnect
Something went wrong!
Hang in there while we get back on track
Greg Molnar - The state of security in Rails 8 - Rails World 2024
Learn about Rails 8's new authentication generator, encryption features, rate limiting & security best practices. Greg Molnar covers key tools & common vulnerabilities at Rails World.
-
Rails 8 is introducing a built-in authentication generator that provides basic authentication features including password-based login and password reset flow
-
Active Record encryption provides strong built-in encryption for data at rest, with support for key rotation and both deterministic/non-deterministic encryption options
-
New built-in rate limiting functionality helps protect against automated attacks, with requests grouped by IP address by default and customizable configuration options
-
Security best practices recommendations:
- Own your authentication system rather than relying on third-party services
- Store audit logs in write-only tables that cannot be modified
- Use whitelist approach for authorization - lock down everything first then explicitly allow access
- Keep sensitive information out of application logs
- Maintain secure deployment flows and lock down SSH access
-
Tools available for Rails security:
- Brakeman for static code analysis and finding security issues
- Dependabot for vulnerability scanning
- Bundle audit for checking outdated/insecure dependencies
- Content Security Policy helpers
- Parameter filtering for sensitive data
-
Common security issues to watch for:
- Authorization problems remain the most common security vulnerability
- Credential stuffing attacks typically happen within 24 hours of password database leaks
- XSS attacks still occur despite Rails’ built-in protections
-
Rails maintenance policy provides security fixes for minor releases for 2 years after initial release
-
The Rails ecosystem has strong security focus with:
- Built-in protections against common vulnerabilities
- Active security community
- Regular security updates and CVE patches
- Tools for most security needs built into the framework