aboutsummaryrefslogtreecommitdiffstats
path: root/guides/source/security.md
Commit message (Collapse)AuthorAgeFilesLines
* Merge pull request #28132 from mikeycgto/aead-encrypted-cookiesKasper Timm Hansen2017-05-281-8/+15
|\ | | | | AEAD encrypted cookies and sessions
| * AEAD encrypted cookies and sessionsMichael Coyne2017-05-221-8/+15
| | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | This commit changes encrypted cookies from AES in CBC HMAC mode to Authenticated Encryption using AES-GCM. It also provides a cookie jar to transparently upgrade encrypted cookies to this new scheme. Some other notable changes include: - There is a new application configuration value: +use_authenticated_cookie_encryption+. When enabled, AEAD encrypted cookies will be used. - +cookies.signed+ does not raise a +TypeError+ now if the name of an encrypted cookie is used. Encrypted cookies using the same key as signed cookies would be verified and serialization would then fail due the message still be encrypted.
* | Define path with __dir__bogdanvlviv2017-05-231-1/+1
| | | | | | | | | | | | ".. with __dir__ we can restore order in the Universe." - by @fxn Related to 5b8738c2df003a96f0e490c43559747618d10f5f
* | Fix broken external link in security guide.Mike Gunderloy2017-05-211-1/+1
|/
* Fix link to rails-ujsRyunosuke Sato2017-03-301-1/+1
| | | | | https://github.com/rails/rails-ujs is merged into actionview in favor of https://github.com/rails/rails/pull/28098. [skip ci]
* update guide to reflect browser compatibility for HTTP verbs [ci skip]Rachel Carvalho2017-03-231-2/+2
|
* Update some jquery-ujs references to rails-ujsJon Moss2017-03-181-7/+6
| | | | [ci skip]
* Fix typo in the security guidebogdanvlviv2017-03-121-2/+2
| | | | [ci skip]
* Merge branch 'master' of github.com:rails/docrailsVijay Dev2016-12-161-1/+1
|\
| * Remove mention of SafeErb gem [ci skip]Prathamesh Sonpatki2016-11-191-1/+1
| | | | | | | | Followup of https://github.com/rails/rails/pull/27086
* | Remove mention of deprecated SafeERB gem from security docs for now, prior ↵Vipul A M2016-11-181-1/+1
|/ | | | | section already speaks about sanitization as a safety measure. [ci skip] (#27086) Fixes #27085
* Remove the word "mongrel" from documentsRyunosuke Sato2016-09-071-1/+1
| | | | | | | | | Currently mongrel is not maintained. And it couldn't be built with any Ruby versions that supported by Rails. It is reasonable to remove the word "mongrel" in order to avoid confusion from newcomer.
* [ci skip] Broken links in documentation fixRasmus Kjellberg2016-08-301-1/+1
|
* When referring to Rails, be consistent in usage of capitalized form, unless ↵Vipul A M2016-08-191-1/+1
| | | | it is used in context of a command like bin/rails or the rails directory [ci skip]
* rails -> Rails [ci skip]Santosh Wadghule2016-07-121-1/+1
|
* cometic updates to security guide - fixes #25058 [ci skip]Mateusz Konieczny2016-05-271-1/+1
|
* Merge pull request #25052 from matkoniecz/2008_is_not_recentJon Moss2016-05-171-3/+1
|\ | | | | update to make it less obvious that this guide is from 2008/2009
| * update to make it less obvious that this guide is from 2008/2009Mateusz Konieczny2016-05-171-3/+1
| | | | | | | | | | malicious ads are neither new nor unusual live HTTP headers project is dead - see https://www.mozdev.org/bugs/show_bug.cgi?id=25944
* | Safari 4 supports http only cookie (#25053)Mateusz Konieczny2016-05-171-1/+1
| | | | | | | | | | * Update documentation about Safari 4 supporting http only cookie - Source: www.greebo.net/2009/06/09/httponly-in-safari-40-release/ via http://stackoverflow.com/questions/528405/which-browsers-do-support-httponly-cookies
* | Fix security guide capitalization errorsJon Moss2016-05-161-15/+15
|/ | | | | | | | | Would have submitted to docrails, but this guide was just changed today, and docrails doesn't have the most updated version :grimacing: cc @vipulnsward [ci skip]
* Update the Rails security guideRalin Chimev2016-05-161-2/+2
| | | | | | | | | | | Bring up-to-date the information about the session id in the Sessions section. The guide currently says that the session id is a md5 hash while the implementation uses a random hex string. Fixes #25032. [ci skip]
* [ci skip] Parameter filter performs regular expression partial matchingAndrew Babichev2016-03-311-0/+2
|
* Remove reference to unmaintained plugin/gemOlivier Lacan2016-03-231-1/+1
| | | | | | | | | [restful-authentication](https://rubygems.org/gems/restful-authentication/versions/1.2.1) hasn't been updated since September 6th, 2012 so it might not be a great idea to recommend that Rails users try it out. Devise seems like a much more popular and secure solution that automatically resets sessions on sign in and out so it's a great example in this case. /cc @tenderlove @josevalim
* Change 'a HTTP' to 'an HTTP' [ci skip]Santosh Wadghule2016-03-031-3/+3
|
* Fixed grammatical errors in rails docs [ci skip]Matt Michnal2016-02-091-2/+2
| | | | | | Fixed errors in rails migrations docs [ci skip] Fixed errors in rails security docs [ci skip]
* [ci skip] Fix grammarAbhishek Jain2016-02-091-1/+1
|
* use rails secret in rails guidesRyo Hashimoto2016-02-031-1/+1
|
* ApplicationRecord documentation passGenadi Samokovarov2015-12-171-1/+1
| | | | | | | This is a pass over the documentation which fills the missing gaps of `ApplicationRecord`. [ci skip]
* Fix a couple of grammatical errors in security.mdExistent Ltd2015-12-161-2/+2
|
* Merge branch 'master' of github.com:rails/docrailsVijay Dev2015-10-311-1/+1
|\
| * Improved `KeyError` messages on bang version, since commit ↵amitkumarsuroliya2015-10-111-1/+1
| | | | | | | | https://github.com/rails/rails/commit/e768c519fb6015e00961702a5165c6dab548a954 bang version produces `KeyError` [ci skip]
* | Improve readability in CSRF section of guideAndy Lampert2015-10-071-4/+3
| |
* | [ci skip] Change 'an URL' to 'a URL' as URL doesn't have a vowel soundtanmay30112015-10-061-2/+2
| |
* | Update text on CSS Injection / MyspaceSean Collins2015-10-031-5/+3
|/ | | | [skip ci]
* Clarify CSRF <script> purpose and protection. Note how to deal with your own ↵Jeremy Daer2015-09-161-1/+3
| | | | | | | | <script> tags. Ref #21618 [ci skip]
* Improved explanation of the <script> tag CSRF behaviorAnshul Agrawal2015-09-141-1/+1
|
* Merge branch 'master' of github.com:rails/railsVijay Dev2015-08-241-20/+20
|\ | | | | | | | | Conflicts: guides/source/security.md
| * Add bold to lists' titles [ci skip]Alexey Markov2015-08-211-6/+6
| |
| * Small fixes [ci skip]Alexey Markov2015-08-201-12/+6
| |
| * Small fixes [ci skip]Alexey Markov2015-08-171-6/+5
| |
| * Tiny documentation fixes [ci skip]Robin Dupret2015-08-111-1/+6
| |
| * [ci skip] Typo fixedDhia Eddine Chouchane2015-08-061-1/+1
| |
| * Outdated information about session storage updated [ci skip] Dhia Eddine Chouchane2015-08-061-2/+4
| | | | | | | | The guide contains information about Rails 2 storing mechanism, but not Rails 4. Enhanced the accuracy and coherence of information (There was a part saying "Older versions of Rails use CookieStore, which uses `secret_token` instead of `secret_key_base` that is used by EncryptedCookieStore." while there was no mention of EncryptedCookieStore before)
* | add commas removed earlier [ci skip]Vijay Dev2015-08-241-1/+1
| |
* | [ci skip] Fix to `a, b and c` formatyui-knk2015-07-251-1/+1
| |
* | [ci skip] Fix minor typoyui-knk2015-07-241-1/+1
| | | | | | | | | | * Remove `,` * Fix `&lt`; -> `&lt;`
* | [ci skip] Minor fixyui-knk2015-07-241-1/+1
|/ | | | | * add a space * add a `.`
* Add to Security guides the secrets.ymlMauro George2015-07-061-0/+23
| | | | [ci skip]
* [ci skip] Replace dead link about HttpOnly cookies.Yoong Kang Lim2015-05-281-1/+1
|
* Rails documentation standard is american english. [ci skip]karanarora2015-05-201-1/+1
|