Greg Molnar - The state of security in Rails 8 - Rails World 2024

Learn about Rails 8's powerful security features including built-in authentication, rate limiting, Content Security Policy, and encryption in this talk from Greg Molnar.

Key takeaways
  • Rails 8 includes a built-in authentication generator providing basic authentication features with password reset, tokens, and cryptography handling

  • Rate limiting is now built into Rails core, configurable at the Rack level and grouped by IP address by default

  • Content Security Policy (CSP) helps mitigate XSS attacks, with ERB templates escaping content by default

  • Brakeman static code analyzer and bundle audit help identify security vulnerabilities and outdated dependencies

  • New parameter filtering improvements help prevent sensitive data (like CVV/CVC) from being logged

  • Rails provides built-in strong cryptography and Active Record encryption for securing sensitive data

  • Authorization issues are among the most common security problems in Rails applications

  • The Rails maintenance policy now provides security fixes for 2 years after initial release for minor versions

  • Audit logging should be stored in write-only tables that cannot be modified later

  • Keep authentication and user data in-house rather than outsourcing to third-party providers like Okta

  • Use role-based authentication and whitelist approaches to control access to resources

  • Regular dependency updates and security patches are crucial for maintaining application security