aboutsummaryrefslogtreecommitdiffstats
path: root/guides/source/security.md
Commit message (Collapse)AuthorAgeFilesLines
* Update link to OWASP XSS cheat sheet [ci skip]Aaron Suarez2019-06-231-1/+1
|
* Update links and code examples in the guides to use HTTPS where the host ↵Nathaniel Suchy2019-03-061-5/+5
| | | | supports it.
* Merge branch 'master' into guides_session_guidelines_2Matilda Smeds2018-12-091-1/+6
|\
| * Amend CVE note and security guide section wordingsGannon McGibbon2018-11-061-1/+1
| | | | | | | | | | | | | | Reword first sentence of dep management and CVE section of security guide. Also, reword and move gemspec notes above deps. [ci skip]
| * Add CVE note to security guide and gemspecsGannon McGibbon2018-11-061-0/+5
| | | | | | | | [ci skip]
* | Update guides/source/security.mdDerek Prior2018-10-181-1/+1
| |
* | Update guides/source/security.mdDerek Prior2018-10-181-1/+1
| |
* | Edit Security Guide's Session Guidelines & Custom Credentials [skip ci]Matilda Smeds2018-10-141-68/+31
|/ | | | | | | * Edit Session Guidelines to achieve tighter prose and accuracy * Remove mentions related to earlier Rails versions * Add links to ActionController guide and Custom Credentials part * Clarify Custom Credentials part
* [ci skip] corrects more grammar awkwardness, replacing denylist with ↵Mina Slater2018-08-221-14/+14
| | | | restricted list and consistently use permitted
* [ci skip] fixes a few more grammar issues, changing a to an before the word ↵Mina Slater2018-08-221-6/+6
| | | | allowlist
* [ci skip] change all instances of blacklist and whitelist to denylist and ↵Mina Slater2018-08-211-14/+14
| | | | allowlist
* Fix file upload location recommendationJack Christensen2018-08-011-1/+1
| | | Going one level downwards from Rails' /public directory would still be inside the public directory and therefore servable by the web server. Files should stored upwards of the public directory.
* Merge pull request #33229 from ↵Matthew Draper2018-07-251-1/+1
|\ | | | | | | | | albertoalmagro/albertoalmagro/prefer-rails-command-over-bin-rails Prefer rails command over bin/rails
| * Recommend use of rails over bin/railsAlberto Almagro2018-07-061-1/+1
| | | | | | | | | | | | | | | | | | As discussed in #33203 rails command already looks for, and runs, bin/rails if it is present. We were mixing recommendations within guides and USAGE guidelines, in some files we recommended using rails, in others bin/rails and in some cases we even had both options mixed together.
* | Rails guides are now served over httpsPaul McMahon2018-07-241-1/+1
|/ | | | | http links will be redirected to the https version, but still better to just directly link to the https version.
* Added a lot of Oxford commasAnthony Crumley2018-05-101-19/+19
| | | | | | | [ci skip] A regular expression was used to find a lot of missing Oxford commas and add them. The regular expression was as follows. ", ([a-zA-Z0-9.\`:'\"]+ ){1,6}(or|and) "
* Add the `nonce: true` option for `javascript_include_tag` helper.Yaroslav Markin2018-04-171-0/+6
|
* Update security.md with latest underground market pricesszTheory2018-04-131-1/+1
| | | Updated underground market prices according to the 2017 Symantec ISTR (was previously citing the 2008 report)
* Fix MySpace Samy worm link [ci skip]284km2018-04-121-1/+1
| | | | The old link https://samy.pl/popular/tech.html is 404 not found.
* Put images into each page's dir in guidesYoshiyuki Hirano2018-03-311-2/+2
|
* Move CSP info from 5.2 release notes to guide [ci skip]bogdanvlviv2018-03-181-0/+106
| | | | | | - Add mention about "nonce". Related to https://github.com/rails/rails/pull/32222#issuecomment-372268157
* Fix note marks [ci skip]Yauheni Dakuka2018-03-121-1/+1
|
* Remove password anecdotes from guides [ci skip]Daniel Colson2018-02-071-12/+0
|
* Merge pull request #31817 from composerinteralia/mediocre-jokeRichard Schneeman2018-01-281-1/+1
|\ | | | | Remove joke in security guide [ci skip]
| * Remove joke in security guide [ci skip]Daniel Colson2018-01-281-1/+1
| | | | | | | | | | | | I think this is a joke, although not a great one. It's mildly unprofessional, so I think we should get rid of it.
* | Update `action_dispatch.default_headers` default value [ci skip]yuuji.yaginuma2018-01-281-1/+4
|/ | | | This was changed with 5d7b70f and 428939b.
* Fix typos [ci skip]Yauheni Dakuka2018-01-111-1/+1
|
* Merge pull request #30474 from yhirano55/make_it_same_title_in_index_and_pageEileen M. Uchitelle2017-12-131-2/+2
|\ | | | | Make it same title in index and page [ci skip]
| * Make it same title in index and page [ci skip]Yoshiyuki Hirano2017-08-311-2/+2
| |
* | [ci skip] SecureRandom should mentioned Win32 CryptoAPI functions ins… ↵Atul Shimpi2017-11-251-1/+1
| | | | | | | | | | | | | | | | (#31225) * [ci skip] SecureRandom should mentioned Win32 CryptoAPI functions instead of Win32 * Remove functions word
* | Fix links [ci skip]Yauheni Dakuka2017-11-161-2/+2
| |
* | Update security guide for signed cookie rotationsMichael Coyne2017-10-091-2/+3
| | | | | | | | | | The example was slightly incorrect. This commit also adds a test case for this example to cookies middleware unit tests.
* | Fix broken link to recaptcha.net [ci skip]Patrick Davey2017-10-011-1/+1
| | | | | | | | | | The link to recaptcha.net returns a 404. As far as I can tell, the new link ought to be to https://developers.google.com/recaptcha/ .
* | [ci skip] Don't mention unrotatable secret_key_base.Kasper Timm Hansen2017-09-251-18/+20
| |
* | [ci skip] Attempt a new explanation for rotations.Kasper Timm Hansen2017-09-241-28/+16
| | | | | | | | | | | | | | | | | | | | | | It's become clear to me that the use case is still a bit muddy and the upgrade path is going to be tough for people to figure out. This attempts at understanding it better through documentation, but still needs follow up work. [ Michael Coyne & Kasper Timm Hansen ]
* | [ci skip] RotationConfiguration is an implementation detail, not public API.Kasper Timm Hansen2017-09-241-7/+4
| |
* | Add key rotation cookies middlewareMichael Coyne2017-09-241-19/+111
| | | | | | | | | | | | Using the action_dispatch.cookies_rotations interface, key rotation is now possible with cookies. Thus the secret_key_base as well as salts, ciphers, and digests, can be rotated without expiring sessions.
* | Merge pull request #30623 from manojmj92/manojmj92-oo-key-patchJavan Makhmali2017-09-201-1/+1
|\ \ | | | | | | make documentation consistent with KeyError message
| * | Fix error message documentationManoj M J2017-09-201-1/+1
| | |
* | | Remove "the" [ci skip]Yauheni Dakuka2017-09-181-1/+1
|/ /
* | Fix typo: `credentails` -> `credentials` [ci skip]yuuji.yaginuma2017-09-161-3/+3
| | | | | | | | Follow up of ca18922ac23be2cde6963fae9b193c9111bec6f8
* | [ci skip] Prefer credentials to secrets in docs.Kasper Timm Hansen2017-09-131-24/+21
| | | | | | | | | | | | | | Removes most mentions of secrets.secret_key_base and explains credentials instead. Also removes some very stale upgrade notices about Rails 3/4.
* | Fix created_at [ci skip]Yauheni Dakuka2017-09-131-1/+1
|/
* Grammar fixJordan Sitkin2017-08-221-1/+1
| | | | Changed the phrase '... and many more high targets' to '... and many more high _profile_ targets'
* Use ssl in guide and comment [ci skip]Yoshiyuki Hirano2017-08-191-3/+3
|
* Remove period from within linksJon Moss2017-08-161-3/+3
| | | | | | Periods should be outside of the <a> tags [ci skip]
* Update security.mdYauheni Dakuka2017-06-261-1/+1
|
* Add brakeman to guides/additional resources. Fixes #29383 [ci skip] (#29427)Vipul A M2017-06-121-3/+4
|
* Merge pull request #28132 from mikeycgto/aead-encrypted-cookiesKasper Timm Hansen2017-05-281-8/+15
|\ | | | | AEAD encrypted cookies and sessions
| * AEAD encrypted cookies and sessionsMichael Coyne2017-05-221-8/+15
| | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | This commit changes encrypted cookies from AES in CBC HMAC mode to Authenticated Encryption using AES-GCM. It also provides a cookie jar to transparently upgrade encrypted cookies to this new scheme. Some other notable changes include: - There is a new application configuration value: +use_authenticated_cookie_encryption+. When enabled, AEAD encrypted cookies will be used. - +cookies.signed+ does not raise a +TypeError+ now if the name of an encrypted cookie is used. Encrypted cookies using the same key as signed cookies would be verified and serialization would then fail due the message still be encrypted.