diff options
| author | Matt Michnal <mattm3646@gmail.com> | 2016-02-04 22:34:30 -0700 |
|---|---|---|
| committer | Matt Michnal <mattm3646@gmail.com> | 2016-02-09 17:57:16 -0700 |
| commit | 767f168772aa697192d6c79b6bfaf942ed96b1e2 (patch) | |
| tree | 6934d8c1ec8ac38388cf0628ea34b017427e54ed /guides/source/security.md | |
| parent | bd6971812434e6f016977dc5c39fbc6450433471 (diff) | |
| download | rails-767f168772aa697192d6c79b6bfaf942ed96b1e2.tar.gz rails-767f168772aa697192d6c79b6bfaf942ed96b1e2.tar.bz2 rails-767f168772aa697192d6c79b6bfaf942ed96b1e2.zip | |
Fixed grammatical errors in rails docs [ci skip]
Fixed errors in rails migrations docs [ci skip]
Fixed errors in rails security docs [ci skip]
Diffstat (limited to 'guides/source/security.md')
| -rw-r--r-- | guides/source/security.md | 4 |
1 files changed, 2 insertions, 2 deletions
diff --git a/guides/source/security.md b/guides/source/security.md index b30bed3767..98324141cc 100644 --- a/guides/source/security.md +++ b/guides/source/security.md @@ -23,7 +23,7 @@ Web application frameworks are made to help developers build web applications. S In general there is no such thing as plug-n-play security. Security depends on the people using the framework, and sometimes on the development method. And it depends on all layers of a web application environment: The back-end storage, the web server and the web application itself (and possibly other layers or applications). -The Gartner Group however estimates that 75% of attacks are at the web application layer, and found out "that out of 300 audited sites, 97% are vulnerable to attack". This is because web applications are relatively easy to attack, as they are simple to understand and manipulate, even by the lay person. +The Gartner Group, however, estimates that 75% of attacks are at the web application layer, and found out "that out of 300 audited sites, 97% are vulnerable to attack". This is because web applications are relatively easy to attack, as they are simple to understand and manipulate, even by the lay person. The threats against web applications include user account hijacking, bypass of access control, reading or modifying sensitive data, or presenting fraudulent content. Or an attacker might be able to install a Trojan horse program or unsolicited e-mail sending software, aim at financial enrichment or cause brand name damage by modifying company resources. In order to prevent attacks, minimize their impact and remove points of attack, first of all, you have to fully understand the attack methods in order to find the correct countermeasures. That is what this guide aims at. @@ -62,7 +62,7 @@ Many web applications have an authentication system: a user provides a user name Hence, the cookie serves as temporary authentication for the web application. Anyone who seizes a cookie from someone else, may use the web application as this user - with possibly severe consequences. Here are some ways to hijack a session, and their countermeasures: -* Sniff the cookie in an insecure network. A wireless LAN can be an example of such a network. In an unencrypted wireless LAN it is especially easy to listen to the traffic of all connected clients. For the web application builder this means to _provide a secure connection over SSL_. In Rails 3.1 and later, this could be accomplished by always forcing SSL connection in your application config file: +* Sniff the cookie in an insecure network. A wireless LAN can be an example of such a network. In an unencrypted wireless LAN, it is especially easy to listen to the traffic of all connected clients. For the web application builder this means to _provide a secure connection over SSL_. In Rails 3.1 and later, this could be accomplished by always forcing SSL connection in your application config file: ```ruby config.force_ssl = true |