aboutsummaryrefslogtreecommitdiffstats
path: root/guides/source/security.md
Commit message (Collapse)AuthorAgeFilesLines
* Add the `nonce: true` option for `javascript_include_tag` helper.Yaroslav Markin2018-04-171-0/+6
|
* Update security.md with latest underground market pricesszTheory2018-04-131-1/+1
| | | Updated underground market prices according to the 2017 Symantec ISTR (was previously citing the 2008 report)
* Fix MySpace Samy worm link [ci skip]284km2018-04-121-1/+1
| | | | The old link https://samy.pl/popular/tech.html is 404 not found.
* Put images into each page's dir in guidesYoshiyuki Hirano2018-03-311-2/+2
|
* Move CSP info from 5.2 release notes to guide [ci skip]bogdanvlviv2018-03-181-0/+106
| | | | | | - Add mention about "nonce". Related to https://github.com/rails/rails/pull/32222#issuecomment-372268157
* Fix note marks [ci skip]Yauheni Dakuka2018-03-121-1/+1
|
* Remove password anecdotes from guides [ci skip]Daniel Colson2018-02-071-12/+0
|
* Merge pull request #31817 from composerinteralia/mediocre-jokeRichard Schneeman2018-01-281-1/+1
|\ | | | | Remove joke in security guide [ci skip]
| * Remove joke in security guide [ci skip]Daniel Colson2018-01-281-1/+1
| | | | | | | | | | | | I think this is a joke, although not a great one. It's mildly unprofessional, so I think we should get rid of it.
* | Update `action_dispatch.default_headers` default value [ci skip]yuuji.yaginuma2018-01-281-1/+4
|/ | | | This was changed with 5d7b70f and 428939b.
* Fix typos [ci skip]Yauheni Dakuka2018-01-111-1/+1
|
* Merge pull request #30474 from yhirano55/make_it_same_title_in_index_and_pageEileen M. Uchitelle2017-12-131-2/+2
|\ | | | | Make it same title in index and page [ci skip]
| * Make it same title in index and page [ci skip]Yoshiyuki Hirano2017-08-311-2/+2
| |
* | [ci skip] SecureRandom should mentioned Win32 CryptoAPI functions ins… ↵Atul Shimpi2017-11-251-1/+1
| | | | | | | | | | | | | | | | (#31225) * [ci skip] SecureRandom should mentioned Win32 CryptoAPI functions instead of Win32 * Remove functions word
* | Fix links [ci skip]Yauheni Dakuka2017-11-161-2/+2
| |
* | Update security guide for signed cookie rotationsMichael Coyne2017-10-091-2/+3
| | | | | | | | | | The example was slightly incorrect. This commit also adds a test case for this example to cookies middleware unit tests.
* | Fix broken link to recaptcha.net [ci skip]Patrick Davey2017-10-011-1/+1
| | | | | | | | | | The link to recaptcha.net returns a 404. As far as I can tell, the new link ought to be to https://developers.google.com/recaptcha/ .
* | [ci skip] Don't mention unrotatable secret_key_base.Kasper Timm Hansen2017-09-251-18/+20
| |
* | [ci skip] Attempt a new explanation for rotations.Kasper Timm Hansen2017-09-241-28/+16
| | | | | | | | | | | | | | | | | | | | | | It's become clear to me that the use case is still a bit muddy and the upgrade path is going to be tough for people to figure out. This attempts at understanding it better through documentation, but still needs follow up work. [ Michael Coyne & Kasper Timm Hansen ]
* | [ci skip] RotationConfiguration is an implementation detail, not public API.Kasper Timm Hansen2017-09-241-7/+4
| |
* | Add key rotation cookies middlewareMichael Coyne2017-09-241-19/+111
| | | | | | | | | | | | Using the action_dispatch.cookies_rotations interface, key rotation is now possible with cookies. Thus the secret_key_base as well as salts, ciphers, and digests, can be rotated without expiring sessions.
* | Merge pull request #30623 from manojmj92/manojmj92-oo-key-patchJavan Makhmali2017-09-201-1/+1
|\ \ | | | | | | make documentation consistent with KeyError message
| * | Fix error message documentationManoj M J2017-09-201-1/+1
| | |
* | | Remove "the" [ci skip]Yauheni Dakuka2017-09-181-1/+1
|/ /
* | Fix typo: `credentails` -> `credentials` [ci skip]yuuji.yaginuma2017-09-161-3/+3
| | | | | | | | Follow up of ca18922ac23be2cde6963fae9b193c9111bec6f8
* | [ci skip] Prefer credentials to secrets in docs.Kasper Timm Hansen2017-09-131-24/+21
| | | | | | | | | | | | | | Removes most mentions of secrets.secret_key_base and explains credentials instead. Also removes some very stale upgrade notices about Rails 3/4.
* | Fix created_at [ci skip]Yauheni Dakuka2017-09-131-1/+1
|/
* Grammar fixJordan Sitkin2017-08-221-1/+1
| | | | Changed the phrase '... and many more high targets' to '... and many more high _profile_ targets'
* Use ssl in guide and comment [ci skip]Yoshiyuki Hirano2017-08-191-3/+3
|
* Remove period from within linksJon Moss2017-08-161-3/+3
| | | | | | Periods should be outside of the <a> tags [ci skip]
* Update security.mdYauheni Dakuka2017-06-261-1/+1
|
* Add brakeman to guides/additional resources. Fixes #29383 [ci skip] (#29427)Vipul A M2017-06-121-3/+4
|
* Merge pull request #28132 from mikeycgto/aead-encrypted-cookiesKasper Timm Hansen2017-05-281-8/+15
|\ | | | | AEAD encrypted cookies and sessions
| * AEAD encrypted cookies and sessionsMichael Coyne2017-05-221-8/+15
| | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | This commit changes encrypted cookies from AES in CBC HMAC mode to Authenticated Encryption using AES-GCM. It also provides a cookie jar to transparently upgrade encrypted cookies to this new scheme. Some other notable changes include: - There is a new application configuration value: +use_authenticated_cookie_encryption+. When enabled, AEAD encrypted cookies will be used. - +cookies.signed+ does not raise a +TypeError+ now if the name of an encrypted cookie is used. Encrypted cookies using the same key as signed cookies would be verified and serialization would then fail due the message still be encrypted.
* | Define path with __dir__bogdanvlviv2017-05-231-1/+1
| | | | | | | | | | | | ".. with __dir__ we can restore order in the Universe." - by @fxn Related to 5b8738c2df003a96f0e490c43559747618d10f5f
* | Fix broken external link in security guide.Mike Gunderloy2017-05-211-1/+1
|/
* Fix link to rails-ujsRyunosuke Sato2017-03-301-1/+1
| | | | | https://github.com/rails/rails-ujs is merged into actionview in favor of https://github.com/rails/rails/pull/28098. [skip ci]
* update guide to reflect browser compatibility for HTTP verbs [ci skip]Rachel Carvalho2017-03-231-2/+2
|
* Update some jquery-ujs references to rails-ujsJon Moss2017-03-181-7/+6
| | | | [ci skip]
* Fix typo in the security guidebogdanvlviv2017-03-121-2/+2
| | | | [ci skip]
* Merge branch 'master' of github.com:rails/docrailsVijay Dev2016-12-161-1/+1
|\
| * Remove mention of SafeErb gem [ci skip]Prathamesh Sonpatki2016-11-191-1/+1
| | | | | | | | Followup of https://github.com/rails/rails/pull/27086
* | Remove mention of deprecated SafeERB gem from security docs for now, prior ↵Vipul A M2016-11-181-1/+1
|/ | | | | section already speaks about sanitization as a safety measure. [ci skip] (#27086) Fixes #27085
* Remove the word "mongrel" from documentsRyunosuke Sato2016-09-071-1/+1
| | | | | | | | | Currently mongrel is not maintained. And it couldn't be built with any Ruby versions that supported by Rails. It is reasonable to remove the word "mongrel" in order to avoid confusion from newcomer.
* [ci skip] Broken links in documentation fixRasmus Kjellberg2016-08-301-1/+1
|
* When referring to Rails, be consistent in usage of capitalized form, unless ↵Vipul A M2016-08-191-1/+1
| | | | it is used in context of a command like bin/rails or the rails directory [ci skip]
* rails -> Rails [ci skip]Santosh Wadghule2016-07-121-1/+1
|
* cometic updates to security guide - fixes #25058 [ci skip]Mateusz Konieczny2016-05-271-1/+1
|
* Merge pull request #25052 from matkoniecz/2008_is_not_recentJon Moss2016-05-171-3/+1
|\ | | | | update to make it less obvious that this guide is from 2008/2009
| * update to make it less obvious that this guide is from 2008/2009Mateusz Konieczny2016-05-171-3/+1
| | | | | | | | | | malicious ads are neither new nor unusual live HTTP headers project is dead - see https://www.mozdev.org/bugs/show_bug.cgi?id=25944
generated by cgit v1.2.3 (git 2.25.1) at 2024-11-02 14:25:03 +0000