aboutsummaryrefslogtreecommitdiffstats
path: root/guides/source/security.md
Commit message (Collapse)AuthorAgeFilesLines
* Revert "Revert "Merge pull request #34387 from ↵Kasper Timm Hansen2019-01-081-0/+5
| | | | | | | | yhirano55/rails_info_properties_json"" I reverted the wrong commit. Damn it. This reverts commit f66a977fc7ae30d2a07124ad91924c4ee638a703.
* Revert "Merge pull request #34387 from yhirano55/rails_info_properties_json"Kasper Timm Hansen2019-01-081-5/+0
| | | | | | | | | | | We had a discussion on the Core team and we don't want to expose this information as a JSON endpoint and not by default. It doesn't make sense to expose this JSON locally and this controller is only accessible in dev, so the proposed access from a production app seems off. This reverts commit 8eaffe7e89719ac62ff29c2e4208cfbeb1cd1c38, reversing changes made to b6e4305c3bca4c673996d0af9db0f4cfbf50215e.
* Amend CVE note and security guide section wordingsGannon McGibbon2018-11-061-1/+1
| | | | | | | Reword first sentence of dep management and CVE section of security guide. Also, reword and move gemspec notes above deps. [ci skip]
* Add CVE note to security guide and gemspecsGannon McGibbon2018-11-061-0/+5
| | | | [ci skip]
* [ci skip] corrects more grammar awkwardness, replacing denylist with ↵Mina Slater2018-08-221-14/+14
| | | | restricted list and consistently use permitted
* [ci skip] fixes a few more grammar issues, changing a to an before the word ↵Mina Slater2018-08-221-6/+6
| | | | allowlist
* [ci skip] change all instances of blacklist and whitelist to denylist and ↵Mina Slater2018-08-211-14/+14
| | | | allowlist
* Fix file upload location recommendationJack Christensen2018-08-011-1/+1
| | | Going one level downwards from Rails' /public directory would still be inside the public directory and therefore servable by the web server. Files should stored upwards of the public directory.
* Merge pull request #33229 from ↵Matthew Draper2018-07-251-1/+1
|\ | | | | | | | | albertoalmagro/albertoalmagro/prefer-rails-command-over-bin-rails Prefer rails command over bin/rails
| * Recommend use of rails over bin/railsAlberto Almagro2018-07-061-1/+1
| | | | | | | | | | | | | | | | | | As discussed in #33203 rails command already looks for, and runs, bin/rails if it is present. We were mixing recommendations within guides and USAGE guidelines, in some files we recommended using rails, in others bin/rails and in some cases we even had both options mixed together.
* | Rails guides are now served over httpsPaul McMahon2018-07-241-1/+1
|/ | | | | http links will be redirected to the https version, but still better to just directly link to the https version.
* Added a lot of Oxford commasAnthony Crumley2018-05-101-19/+19
| | | | | | | [ci skip] A regular expression was used to find a lot of missing Oxford commas and add them. The regular expression was as follows. ", ([a-zA-Z0-9.\`:'\"]+ ){1,6}(or|and) "
* Add the `nonce: true` option for `javascript_include_tag` helper.Yaroslav Markin2018-04-171-0/+6
|
* Update security.md with latest underground market pricesszTheory2018-04-131-1/+1
| | | Updated underground market prices according to the 2017 Symantec ISTR (was previously citing the 2008 report)
* Fix MySpace Samy worm link [ci skip]284km2018-04-121-1/+1
| | | | The old link https://samy.pl/popular/tech.html is 404 not found.
* Put images into each page's dir in guidesYoshiyuki Hirano2018-03-311-2/+2
|
* Move CSP info from 5.2 release notes to guide [ci skip]bogdanvlviv2018-03-181-0/+106
| | | | | | - Add mention about "nonce". Related to https://github.com/rails/rails/pull/32222#issuecomment-372268157
* Fix note marks [ci skip]Yauheni Dakuka2018-03-121-1/+1
|
* Remove password anecdotes from guides [ci skip]Daniel Colson2018-02-071-12/+0
|
* Merge pull request #31817 from composerinteralia/mediocre-jokeRichard Schneeman2018-01-281-1/+1
|\ | | | | Remove joke in security guide [ci skip]
| * Remove joke in security guide [ci skip]Daniel Colson2018-01-281-1/+1
| | | | | | | | | | | | I think this is a joke, although not a great one. It's mildly unprofessional, so I think we should get rid of it.
* | Update `action_dispatch.default_headers` default value [ci skip]yuuji.yaginuma2018-01-281-1/+4
|/ | | | This was changed with 5d7b70f and 428939b.
* Fix typos [ci skip]Yauheni Dakuka2018-01-111-1/+1
|
* Merge pull request #30474 from yhirano55/make_it_same_title_in_index_and_pageEileen M. Uchitelle2017-12-131-2/+2
|\ | | | | Make it same title in index and page [ci skip]
| * Make it same title in index and page [ci skip]Yoshiyuki Hirano2017-08-311-2/+2
| |
* | [ci skip] SecureRandom should mentioned Win32 CryptoAPI functions ins… ↵Atul Shimpi2017-11-251-1/+1
| | | | | | | | | | | | | | | | (#31225) * [ci skip] SecureRandom should mentioned Win32 CryptoAPI functions instead of Win32 * Remove functions word
* | Fix links [ci skip]Yauheni Dakuka2017-11-161-2/+2
| |
* | Update security guide for signed cookie rotationsMichael Coyne2017-10-091-2/+3
| | | | | | | | | | The example was slightly incorrect. This commit also adds a test case for this example to cookies middleware unit tests.
* | Fix broken link to recaptcha.net [ci skip]Patrick Davey2017-10-011-1/+1
| | | | | | | | | | The link to recaptcha.net returns a 404. As far as I can tell, the new link ought to be to https://developers.google.com/recaptcha/ .
* | [ci skip] Don't mention unrotatable secret_key_base.Kasper Timm Hansen2017-09-251-18/+20
| |
* | [ci skip] Attempt a new explanation for rotations.Kasper Timm Hansen2017-09-241-28/+16
| | | | | | | | | | | | | | | | | | | | | | It's become clear to me that the use case is still a bit muddy and the upgrade path is going to be tough for people to figure out. This attempts at understanding it better through documentation, but still needs follow up work. [ Michael Coyne & Kasper Timm Hansen ]
* | [ci skip] RotationConfiguration is an implementation detail, not public API.Kasper Timm Hansen2017-09-241-7/+4
| |
* | Add key rotation cookies middlewareMichael Coyne2017-09-241-19/+111
| | | | | | | | | | | | Using the action_dispatch.cookies_rotations interface, key rotation is now possible with cookies. Thus the secret_key_base as well as salts, ciphers, and digests, can be rotated without expiring sessions.
* | Merge pull request #30623 from manojmj92/manojmj92-oo-key-patchJavan Makhmali2017-09-201-1/+1
|\ \ | | | | | | make documentation consistent with KeyError message
| * | Fix error message documentationManoj M J2017-09-201-1/+1
| | |
* | | Remove "the" [ci skip]Yauheni Dakuka2017-09-181-1/+1
|/ /
* | Fix typo: `credentails` -> `credentials` [ci skip]yuuji.yaginuma2017-09-161-3/+3
| | | | | | | | Follow up of ca18922ac23be2cde6963fae9b193c9111bec6f8
* | [ci skip] Prefer credentials to secrets in docs.Kasper Timm Hansen2017-09-131-24/+21
| | | | | | | | | | | | | | Removes most mentions of secrets.secret_key_base and explains credentials instead. Also removes some very stale upgrade notices about Rails 3/4.
* | Fix created_at [ci skip]Yauheni Dakuka2017-09-131-1/+1
|/
* Grammar fixJordan Sitkin2017-08-221-1/+1
| | | | Changed the phrase '... and many more high targets' to '... and many more high _profile_ targets'
* Use ssl in guide and comment [ci skip]Yoshiyuki Hirano2017-08-191-3/+3
|
* Remove period from within linksJon Moss2017-08-161-3/+3
| | | | | | Periods should be outside of the <a> tags [ci skip]
* Update security.mdYauheni Dakuka2017-06-261-1/+1
|
* Add brakeman to guides/additional resources. Fixes #29383 [ci skip] (#29427)Vipul A M2017-06-121-3/+4
|
* Merge pull request #28132 from mikeycgto/aead-encrypted-cookiesKasper Timm Hansen2017-05-281-8/+15
|\ | | | | AEAD encrypted cookies and sessions
| * AEAD encrypted cookies and sessionsMichael Coyne2017-05-221-8/+15
| | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | This commit changes encrypted cookies from AES in CBC HMAC mode to Authenticated Encryption using AES-GCM. It also provides a cookie jar to transparently upgrade encrypted cookies to this new scheme. Some other notable changes include: - There is a new application configuration value: +use_authenticated_cookie_encryption+. When enabled, AEAD encrypted cookies will be used. - +cookies.signed+ does not raise a +TypeError+ now if the name of an encrypted cookie is used. Encrypted cookies using the same key as signed cookies would be verified and serialization would then fail due the message still be encrypted.
* | Define path with __dir__bogdanvlviv2017-05-231-1/+1
| | | | | | | | | | | | ".. with __dir__ we can restore order in the Universe." - by @fxn Related to 5b8738c2df003a96f0e490c43559747618d10f5f
* | Fix broken external link in security guide.Mike Gunderloy2017-05-211-1/+1
|/
* Fix link to rails-ujsRyunosuke Sato2017-03-301-1/+1
| | | | | https://github.com/rails/rails-ujs is merged into actionview in favor of https://github.com/rails/rails/pull/28098. [skip ci]
* update guide to reflect browser compatibility for HTTP verbs [ci skip]Rachel Carvalho2017-03-231-2/+2
|