Greg Molnar - The state of security in Rails 8 - Rails World 2024

Rails 8 includes a built-in authentication generator providing basic authentication features with password reset, tokens, and cryptography handling

Rate limiting is now built into Rails core, configurable at the Rack level and grouped by IP address by default

Content Security Policy (CSP) helps mitigate XSS attacks, with ERB templates escaping content by default

Brakeman static code analyzer and bundle audit help identify security vulnerabilities and outdated dependencies

New parameter filtering improvements help prevent sensitive data (like CVV/CVC) from being logged

Rails provides built-in strong cryptography and Active Record encryption for securing sensitive data

Authorization issues are among the most common security problems in Rails applications

The Rails maintenance policy now provides security fixes for 2 years after initial release for minor versions

Audit logging should be stored in write-only tables that cannot be modified later

Keep authentication and user data in-house rather than outsourcing to third-party providers like Okta

Use role-based authentication and whitelist approaches to control access to resources

Regular dependency updates and security patches are crucial for maintaining application security