aboutsummaryrefslogtreecommitdiffstats
path: root/guides/source/security.md
Commit message (Collapse)AuthorAgeFilesLines
* Fix links [ci skip]Yauheni Dakuka2017-11-161-2/+2
|
* Update security guide for signed cookie rotationsMichael Coyne2017-10-091-2/+3
| | | | | The example was slightly incorrect. This commit also adds a test case for this example to cookies middleware unit tests.
* Fix broken link to recaptcha.net [ci skip]Patrick Davey2017-10-011-1/+1
| | | | | The link to recaptcha.net returns a 404. As far as I can tell, the new link ought to be to https://developers.google.com/recaptcha/ .
* [ci skip] Don't mention unrotatable secret_key_base.Kasper Timm Hansen2017-09-251-18/+20
|
* [ci skip] Attempt a new explanation for rotations.Kasper Timm Hansen2017-09-241-28/+16
| | | | | | | | | | | It's become clear to me that the use case is still a bit muddy and the upgrade path is going to be tough for people to figure out. This attempts at understanding it better through documentation, but still needs follow up work. [ Michael Coyne & Kasper Timm Hansen ]
* [ci skip] RotationConfiguration is an implementation detail, not public API.Kasper Timm Hansen2017-09-241-7/+4
|
* Add key rotation cookies middlewareMichael Coyne2017-09-241-19/+111
| | | | | | Using the action_dispatch.cookies_rotations interface, key rotation is now possible with cookies. Thus the secret_key_base as well as salts, ciphers, and digests, can be rotated without expiring sessions.
* Merge pull request #30623 from manojmj92/manojmj92-oo-key-patchJavan Makhmali2017-09-201-1/+1
|\ | | | | make documentation consistent with KeyError message
| * Fix error message documentationManoj M J2017-09-201-1/+1
| |
* | Remove "the" [ci skip]Yauheni Dakuka2017-09-181-1/+1
|/
* Fix typo: `credentails` -> `credentials` [ci skip]yuuji.yaginuma2017-09-161-3/+3
| | | | Follow up of ca18922ac23be2cde6963fae9b193c9111bec6f8
* [ci skip] Prefer credentials to secrets in docs.Kasper Timm Hansen2017-09-131-24/+21
| | | | | | | Removes most mentions of secrets.secret_key_base and explains credentials instead. Also removes some very stale upgrade notices about Rails 3/4.
* Fix created_at [ci skip]Yauheni Dakuka2017-09-131-1/+1
|
* Grammar fixJordan Sitkin2017-08-221-1/+1
| | | | Changed the phrase '... and many more high targets' to '... and many more high _profile_ targets'
* Use ssl in guide and comment [ci skip]Yoshiyuki Hirano2017-08-191-3/+3
|
* Remove period from within linksJon Moss2017-08-161-3/+3
| | | | | | Periods should be outside of the <a> tags [ci skip]
* Update security.mdYauheni Dakuka2017-06-261-1/+1
|
* Add brakeman to guides/additional resources. Fixes #29383 [ci skip] (#29427)Vipul A M2017-06-121-3/+4
|
* Merge pull request #28132 from mikeycgto/aead-encrypted-cookiesKasper Timm Hansen2017-05-281-8/+15
|\ | | | | AEAD encrypted cookies and sessions
| * AEAD encrypted cookies and sessionsMichael Coyne2017-05-221-8/+15
| | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | This commit changes encrypted cookies from AES in CBC HMAC mode to Authenticated Encryption using AES-GCM. It also provides a cookie jar to transparently upgrade encrypted cookies to this new scheme. Some other notable changes include: - There is a new application configuration value: +use_authenticated_cookie_encryption+. When enabled, AEAD encrypted cookies will be used. - +cookies.signed+ does not raise a +TypeError+ now if the name of an encrypted cookie is used. Encrypted cookies using the same key as signed cookies would be verified and serialization would then fail due the message still be encrypted.
* | Define path with __dir__bogdanvlviv2017-05-231-1/+1
| | | | | | | | | | | | ".. with __dir__ we can restore order in the Universe." - by @fxn Related to 5b8738c2df003a96f0e490c43559747618d10f5f
* | Fix broken external link in security guide.Mike Gunderloy2017-05-211-1/+1
|/
* Fix link to rails-ujsRyunosuke Sato2017-03-301-1/+1
| | | | | https://github.com/rails/rails-ujs is merged into actionview in favor of https://github.com/rails/rails/pull/28098. [skip ci]
* update guide to reflect browser compatibility for HTTP verbs [ci skip]Rachel Carvalho2017-03-231-2/+2
|
* Update some jquery-ujs references to rails-ujsJon Moss2017-03-181-7/+6
| | | | [ci skip]
* Fix typo in the security guidebogdanvlviv2017-03-121-2/+2
| | | | [ci skip]
* Merge branch 'master' of github.com:rails/docrailsVijay Dev2016-12-161-1/+1
|\
| * Remove mention of SafeErb gem [ci skip]Prathamesh Sonpatki2016-11-191-1/+1
| | | | | | | | Followup of https://github.com/rails/rails/pull/27086
* | Remove mention of deprecated SafeERB gem from security docs for now, prior ↵Vipul A M2016-11-181-1/+1
|/ | | | | section already speaks about sanitization as a safety measure. [ci skip] (#27086) Fixes #27085
* Remove the word "mongrel" from documentsRyunosuke Sato2016-09-071-1/+1
| | | | | | | | | Currently mongrel is not maintained. And it couldn't be built with any Ruby versions that supported by Rails. It is reasonable to remove the word "mongrel" in order to avoid confusion from newcomer.
* [ci skip] Broken links in documentation fixRasmus Kjellberg2016-08-301-1/+1
|
* When referring to Rails, be consistent in usage of capitalized form, unless ↵Vipul A M2016-08-191-1/+1
| | | | it is used in context of a command like bin/rails or the rails directory [ci skip]
* rails -> Rails [ci skip]Santosh Wadghule2016-07-121-1/+1
|
* cometic updates to security guide - fixes #25058 [ci skip]Mateusz Konieczny2016-05-271-1/+1
|
* Merge pull request #25052 from matkoniecz/2008_is_not_recentJon Moss2016-05-171-3/+1
|\ | | | | update to make it less obvious that this guide is from 2008/2009
| * update to make it less obvious that this guide is from 2008/2009Mateusz Konieczny2016-05-171-3/+1
| | | | | | | | | | malicious ads are neither new nor unusual live HTTP headers project is dead - see https://www.mozdev.org/bugs/show_bug.cgi?id=25944
* | Safari 4 supports http only cookie (#25053)Mateusz Konieczny2016-05-171-1/+1
| | | | | | | | | | * Update documentation about Safari 4 supporting http only cookie - Source: www.greebo.net/2009/06/09/httponly-in-safari-40-release/ via http://stackoverflow.com/questions/528405/which-browsers-do-support-httponly-cookies
* | Fix security guide capitalization errorsJon Moss2016-05-161-15/+15
|/ | | | | | | | | Would have submitted to docrails, but this guide was just changed today, and docrails doesn't have the most updated version :grimacing: cc @vipulnsward [ci skip]
* Update the Rails security guideRalin Chimev2016-05-161-2/+2
| | | | | | | | | | | Bring up-to-date the information about the session id in the Sessions section. The guide currently says that the session id is a md5 hash while the implementation uses a random hex string. Fixes #25032. [ci skip]
* [ci skip] Parameter filter performs regular expression partial matchingAndrew Babichev2016-03-311-0/+2
|
* Remove reference to unmaintained plugin/gemOlivier Lacan2016-03-231-1/+1
| | | | | | | | | [restful-authentication](https://rubygems.org/gems/restful-authentication/versions/1.2.1) hasn't been updated since September 6th, 2012 so it might not be a great idea to recommend that Rails users try it out. Devise seems like a much more popular and secure solution that automatically resets sessions on sign in and out so it's a great example in this case. /cc @tenderlove @josevalim
* Change 'a HTTP' to 'an HTTP' [ci skip]Santosh Wadghule2016-03-031-3/+3
|
* Fixed grammatical errors in rails docs [ci skip]Matt Michnal2016-02-091-2/+2
| | | | | | Fixed errors in rails migrations docs [ci skip] Fixed errors in rails security docs [ci skip]
* [ci skip] Fix grammarAbhishek Jain2016-02-091-1/+1
|
* use rails secret in rails guidesRyo Hashimoto2016-02-031-1/+1
|
* ApplicationRecord documentation passGenadi Samokovarov2015-12-171-1/+1
| | | | | | | This is a pass over the documentation which fills the missing gaps of `ApplicationRecord`. [ci skip]
* Fix a couple of grammatical errors in security.mdExistent Ltd2015-12-161-2/+2
|
* Merge branch 'master' of github.com:rails/docrailsVijay Dev2015-10-311-1/+1
|\
| * Improved `KeyError` messages on bang version, since commit ↵amitkumarsuroliya2015-10-111-1/+1
| | | | | | | | https://github.com/rails/rails/commit/e768c519fb6015e00961702a5165c6dab548a954 bang version produces `KeyError` [ci skip]
* | Improve readability in CSRF section of guideAndy Lampert2015-10-071-4/+3
| |