We can't find the internet
Attempting to reconnect
Something went wrong!
Hang in there while we get back on track
Greg Molnar - The state of security in Rails 8 - Rails World 2024
Learn about Rails 8's powerful security features including built-in authentication, rate limiting, Content Security Policy, and encryption in this talk from Greg Molnar.
-
Rails 8 includes a built-in authentication generator providing basic authentication features with password reset, tokens, and cryptography handling
-
Rate limiting is now built into Rails core, configurable at the Rack level and grouped by IP address by default
-
Content Security Policy (CSP) helps mitigate XSS attacks, with ERB templates escaping content by default
-
Brakeman static code analyzer and bundle audit help identify security vulnerabilities and outdated dependencies
-
New parameter filtering improvements help prevent sensitive data (like CVV/CVC) from being logged
-
Rails provides built-in strong cryptography and Active Record encryption for securing sensitive data
-
Authorization issues are among the most common security problems in Rails applications
-
The Rails maintenance policy now provides security fixes for 2 years after initial release for minor versions
-
Audit logging should be stored in write-only tables that cannot be modified later
-
Keep authentication and user data in-house rather than outsourcing to third-party providers like Okta
-
Use role-based authentication and whitelist approaches to control access to resources
-
Regular dependency updates and security patches are crucial for maintaining application security