Ruby on Rails Security Guide

Please refer the following for Ruby on Rails best practices on the security. CSRF and XSS are the most important ones:-

 

1) CSRF – https://selvaonrails.wordpress.com/2012/04/03/ruby-on-rails-security-csrf-3/

2) XSS – https://selvaonrails.wordpress.com/2012/04/03/ruby-on-rails-security-xss-2/

3) Protection flags on cookies – https://selvaonrails.wordpress.com/2012/04/03/ruby-on-rails-security-protection-flags-on-session-cookies/

4) Filter parameter logging – https://selvaonrails.wordpress.com/2012/04/03/ruby-on-rails-security-filtering-parameter-logging/

Ruby on Rails Security – Protection Flags on Session Cookies

Analysis:

When an unsuspecting user visits the site, the JavaScript executes, stealing the ‘sessionId’ cookie and sending it to the malicious user. Using the victim’s session ID, the malicious user can hijack the victim’s session and perform actions on their behalf.

Solution and Fix:

Add the ‘HttpOnly’ flag to the Set-Cookie directive for the session ID. When we  tag a cookie with the HttpOnly flag, it tells the browser that this particular cookie should only be accessed by the server. Any attempt to access the cookie from client script is strictly forbidden. Of course, this presumes you have:

  1. A modern web browser
  2. A browser that actually implements HttpOnly correctly

Example and Testing:

The following details are extracted from the ‘Live HTTP Headers’

Before setting the ‘HttpOnly’ flag:-

Set-Cookie: sessionId=EUID%3DLTU3Zjg3YTA3OjEzNj

After setting the ‘HttpOnly’ flag:-

Set-Cookie: sessionId=EUID%3DLTU3Zjg3YTA3OjEzNj; HttpOnly

Links for References:-

1)      http://www.codinghorror.com/blog/2008/08/protecting-your-cookies-httponly.html