| Commit message (Collapse) | Author | Age | Files | Lines |
| |
|
|
|
|
| |
supports it.
|
|\ |
|
| |
| |
| |
| |
| |
| |
| | |
Reword first sentence of dep management and CVE section of
security guide. Also, reword and move gemspec notes above deps.
[ci skip]
|
| |
| |
| |
| | |
[ci skip]
|
| | |
|
| | |
|
|/
|
|
|
|
|
| |
* Edit Session Guidelines to achieve tighter prose and accuracy
* Remove mentions related to earlier Rails versions
* Add links to ActionController guide and Custom Credentials part
* Clarify Custom Credentials part
|
|
|
|
| |
restricted list and consistently use permitted
|
|
|
|
| |
allowlist
|
|
|
|
| |
allowlist
|
|
|
| |
Going one level downwards from Rails' /public directory would still be inside the public directory and therefore servable by the web server. Files should stored upwards of the public directory.
|
|\
| |
| |
| |
| | |
albertoalmagro/albertoalmagro/prefer-rails-command-over-bin-rails
Prefer rails command over bin/rails
|
| |
| |
| |
| |
| |
| |
| |
| |
| | |
As discussed in #33203 rails command already looks for, and runs,
bin/rails if it is present.
We were mixing recommendations within guides and USAGE guidelines,
in some files we recommended using rails, in others bin/rails and
in some cases we even had both options mixed together.
|
|/
|
|
|
| |
http links will be redirected to the https version, but still better to
just directly link to the https version.
|
|
|
|
|
|
|
| |
[ci skip] A regular expression was used to find a lot of missing Oxford
commas and add them. The regular expression was as follows.
", ([a-zA-Z0-9.\`:'\"]+ ){1,6}(or|and) "
|
| |
|
|
|
| |
Updated underground market prices according to the 2017 Symantec ISTR (was previously citing the 2008 report)
|
|
|
|
| |
The old link https://samy.pl/popular/tech.html is 404 not found.
|
| |
|
|
|
|
|
|
| |
- Add mention about "nonce".
Related to https://github.com/rails/rails/pull/32222#issuecomment-372268157
|
| |
|
| |
|
|\
| |
| | |
Remove joke in security guide [ci skip]
|
| |
| |
| |
| |
| |
| | |
I think this is a joke, although not a great one.
It's mildly unprofessional, so I think we
should get rid of it.
|
|/
|
|
| |
This was changed with 5d7b70f and 428939b.
|
| |
|
|\
| |
| | |
Make it same title in index and page [ci skip]
|
| | |
|
| |
| |
| |
| |
| |
| |
| |
| | |
(#31225)
* [ci skip] SecureRandom should mentioned Win32 CryptoAPI functions instead of Win32
* Remove functions word
|
| | |
|
| |
| |
| |
| |
| | |
The example was slightly incorrect. This commit also adds a test case
for this example to cookies middleware unit tests.
|
| |
| |
| |
| |
| | |
The link to recaptcha.net returns a 404. As far as I can tell, the new
link ought to be to https://developers.google.com/recaptcha/ .
|
| | |
|
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| | |
It's become clear to me that the use case is still a bit muddy
and the upgrade path is going to be tough for people to figure
out.
This attempts at understanding it better through documentation,
but still needs follow up work.
[ Michael Coyne & Kasper Timm Hansen ]
|
| | |
|
| |
| |
| |
| |
| |
| | |
Using the action_dispatch.cookies_rotations interface, key rotation is
now possible with cookies. Thus the secret_key_base as well as salts,
ciphers, and digests, can be rotated without expiring sessions.
|
|\ \
| | |
| | | |
make documentation consistent with KeyError message
|
| | | |
|
|/ / |
|
| |
| |
| |
| | |
Follow up of ca18922ac23be2cde6963fae9b193c9111bec6f8
|
| |
| |
| |
| |
| |
| |
| | |
Removes most mentions of secrets.secret_key_base and explains
credentials instead.
Also removes some very stale upgrade notices about Rails 3/4.
|
|/ |
|
|
|
|
| |
Changed the phrase '... and many more high targets' to '... and many more high _profile_ targets'
|
| |
|
|
|
|
|
|
| |
Periods should be outside of the <a> tags
[ci skip]
|
| |
|
| |
|
|\
| |
| | |
AEAD encrypted cookies and sessions
|
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| | |
This commit changes encrypted cookies from AES in CBC HMAC mode to
Authenticated Encryption using AES-GCM. It also provides a cookie jar
to transparently upgrade encrypted cookies to this new scheme. Some
other notable changes include:
- There is a new application configuration value:
+use_authenticated_cookie_encryption+. When enabled, AEAD encrypted
cookies will be used.
- +cookies.signed+ does not raise a +TypeError+ now if the name of an
encrypted cookie is used. Encrypted cookies using the same key as
signed cookies would be verified and serialization would then fail
due the message still be encrypted.
|