diff options
| author | Gary S. Weaver <garysweaver@gmail.com> | 2012-12-21 14:59:09 -0500 |
|---|---|---|
| committer | Gary S. Weaver <garysweaver@gmail.com> | 2012-12-21 14:59:09 -0500 |
| commit | d2b158465e495e11e050b3cb8e8b606bba75a36e (patch) | |
| tree | 315e476516fdb2463b31503005f2d0ef29d2daa6 /guides/source/security.md | |
| parent | 95f5f8167ff86550d7fa9f5f7419cc9b38ef9704 (diff) | |
| download | rails-d2b158465e495e11e050b3cb8e8b606bba75a36e.tar.gz rails-d2b158465e495e11e050b3cb8e8b606bba75a36e.tar.bz2 rails-d2b158465e495e11e050b3cb8e8b606bba75a36e.zip | |
Updated security guide with information about secret_token.rb and to suggest securing sensitive files like database.yml and secret_token.rb
Diffstat (limited to 'guides/source/security.md')
| -rw-r--r-- | guides/source/security.md | 18 |
1 files changed, 11 insertions, 7 deletions
diff --git a/guides/source/security.md b/guides/source/security.md index 8096ea2383..53835781f4 100644 --- a/guides/source/security.md +++ b/guides/source/security.md @@ -94,17 +94,16 @@ Rails 2 introduced a new default session storage, CookieStore. CookieStore saves * The client can see everything you store in a session, because it is stored in clear-text (actually Base64-encoded, so not encrypted). So, of course, _you don't want to store any secrets here_. To prevent session hash tampering, a digest is calculated from the session with a server-side secret and inserted into the end of the cookie. -That means the security of this storage depends on this secret (and on the digest algorithm, which defaults to SHA512, which has not been compromised, yet). So _don't use a trivial secret, i.e. a word from a dictionary, or one which is shorter than 30 characters_. Put the secret in your environment.rb: +That means the security of this storage depends on this secret (and on the digest algorithm, which defaults to SHA512, which has not been compromised, yet). So _don't use a trivial secret, i.e. a word from a dictionary, or one which is shorter than 30 characters_. -```ruby -config.action_dispatch.session = { - key: '_app_session', - secret: '0x0dkfj3927dkc7djdh36rkckdfzsg...' -} -``` +Newly generated applications get their `config.secret_key_base` (or in `environment.rb` in some past versions) initialized to a random key in `config/initializers/secret_token.rb`, e.g.: + + Posts::Application.config.secret_token = 'dkfj3927dkc7djdh36rkckdfzsg...' There are, however, derivatives of CookieStore which encrypt the session hash, so the client cannot see it. +If you have received an application where the secret was exposed (e.g. an application whose source was shared), strongly consider changing the secret. + ### Replay Attacks for CookieStore Sessions TIP: _Another sort of attack you have to be aware of when using `CookieStore` is the replay attack._ @@ -959,6 +958,11 @@ Used to control which sites are allowed to bypass same origin policies and send * Strict-Transport-Security [Used to control if the browser is allowed to only access a site over a secure connection](http://en.wikipedia.org/wiki/HTTP_Strict_Transport_Security) +Environmental Security +---------------------- + +It is beyond the scope of this guide to inform you on how to secure your application code and environments. However, please secure your database configuration, e.g. `config/database.yml`, and your server-side secret, e.g. stored in `config/initializers/secret_token.rb`. You may want to further restrict access, using environment-specific versions of these files and any others that may contain sensitive information. + Additional Resources -------------------- |