Commit message (Collapse) | Author | Age | Files | Lines | |
---|---|---|---|---|---|
* | Update security.md | Yauheni Dakuka | 2017-06-26 | 1 | -1/+1 |
| | |||||
* | Add brakeman to guides/additional resources. Fixes #29383 [ci skip] (#29427) | Vipul A M | 2017-06-12 | 1 | -3/+4 |
| | |||||
* | Merge pull request #28132 from mikeycgto/aead-encrypted-cookies | Kasper Timm Hansen | 2017-05-28 | 1 | -8/+15 |
|\ | | | | | AEAD encrypted cookies and sessions | ||||
| * | AEAD encrypted cookies and sessions | Michael Coyne | 2017-05-22 | 1 | -8/+15 |
| | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | This commit changes encrypted cookies from AES in CBC HMAC mode to Authenticated Encryption using AES-GCM. It also provides a cookie jar to transparently upgrade encrypted cookies to this new scheme. Some other notable changes include: - There is a new application configuration value: +use_authenticated_cookie_encryption+. When enabled, AEAD encrypted cookies will be used. - +cookies.signed+ does not raise a +TypeError+ now if the name of an encrypted cookie is used. Encrypted cookies using the same key as signed cookies would be verified and serialization would then fail due the message still be encrypted. | ||||
* | | Define path with __dir__ | bogdanvlviv | 2017-05-23 | 1 | -1/+1 |
| | | | | | | | | | | | | ".. with __dir__ we can restore order in the Universe." - by @fxn Related to 5b8738c2df003a96f0e490c43559747618d10f5f | ||||
* | | Fix broken external link in security guide. | Mike Gunderloy | 2017-05-21 | 1 | -1/+1 |
|/ | |||||
* | Fix link to rails-ujs | Ryunosuke Sato | 2017-03-30 | 1 | -1/+1 |
| | | | | | https://github.com/rails/rails-ujs is merged into actionview in favor of https://github.com/rails/rails/pull/28098. [skip ci] | ||||
* | update guide to reflect browser compatibility for HTTP verbs [ci skip] | Rachel Carvalho | 2017-03-23 | 1 | -2/+2 |
| | |||||
* | Update some jquery-ujs references to rails-ujs | Jon Moss | 2017-03-18 | 1 | -7/+6 |
| | | | | [ci skip] | ||||
* | Fix typo in the security guide | bogdanvlviv | 2017-03-12 | 1 | -2/+2 |
| | | | | [ci skip] | ||||
* | Merge branch 'master' of github.com:rails/docrails | Vijay Dev | 2016-12-16 | 1 | -1/+1 |
|\ | |||||
| * | Remove mention of SafeErb gem [ci skip] | Prathamesh Sonpatki | 2016-11-19 | 1 | -1/+1 |
| | | | | | | | | Followup of https://github.com/rails/rails/pull/27086 | ||||
* | | Remove mention of deprecated SafeERB gem from security docs for now, prior ↵ | Vipul A M | 2016-11-18 | 1 | -1/+1 |
|/ | | | | | section already speaks about sanitization as a safety measure. [ci skip] (#27086) Fixes #27085 | ||||
* | Remove the word "mongrel" from documents | Ryunosuke Sato | 2016-09-07 | 1 | -1/+1 |
| | | | | | | | | | Currently mongrel is not maintained. And it couldn't be built with any Ruby versions that supported by Rails. It is reasonable to remove the word "mongrel" in order to avoid confusion from newcomer. | ||||
* | [ci skip] Broken links in documentation fix | Rasmus Kjellberg | 2016-08-30 | 1 | -1/+1 |
| | |||||
* | When referring to Rails, be consistent in usage of capitalized form, unless ↵ | Vipul A M | 2016-08-19 | 1 | -1/+1 |
| | | | | it is used in context of a command like bin/rails or the rails directory [ci skip] | ||||
* | rails -> Rails [ci skip] | Santosh Wadghule | 2016-07-12 | 1 | -1/+1 |
| | |||||
* | cometic updates to security guide - fixes #25058 [ci skip] | Mateusz Konieczny | 2016-05-27 | 1 | -1/+1 |
| | |||||
* | Merge pull request #25052 from matkoniecz/2008_is_not_recent | Jon Moss | 2016-05-17 | 1 | -3/+1 |
|\ | | | | | update to make it less obvious that this guide is from 2008/2009 | ||||
| * | update to make it less obvious that this guide is from 2008/2009 | Mateusz Konieczny | 2016-05-17 | 1 | -3/+1 |
| | | | | | | | | | | malicious ads are neither new nor unusual live HTTP headers project is dead - see https://www.mozdev.org/bugs/show_bug.cgi?id=25944 | ||||
* | | Safari 4 supports http only cookie (#25053) | Mateusz Konieczny | 2016-05-17 | 1 | -1/+1 |
| | | | | | | | | | | * Update documentation about Safari 4 supporting http only cookie - Source: www.greebo.net/2009/06/09/httponly-in-safari-40-release/ via http://stackoverflow.com/questions/528405/which-browsers-do-support-httponly-cookies | ||||
* | | Fix security guide capitalization errors | Jon Moss | 2016-05-16 | 1 | -15/+15 |
|/ | | | | | | | | | Would have submitted to docrails, but this guide was just changed today, and docrails doesn't have the most updated version :grimacing: cc @vipulnsward [ci skip] | ||||
* | Update the Rails security guide | Ralin Chimev | 2016-05-16 | 1 | -2/+2 |
| | | | | | | | | | | | Bring up-to-date the information about the session id in the Sessions section. The guide currently says that the session id is a md5 hash while the implementation uses a random hex string. Fixes #25032. [ci skip] | ||||
* | [ci skip] Parameter filter performs regular expression partial matching | Andrew Babichev | 2016-03-31 | 1 | -0/+2 |
| | |||||
* | Remove reference to unmaintained plugin/gem | Olivier Lacan | 2016-03-23 | 1 | -1/+1 |
| | | | | | | | | | [restful-authentication](https://rubygems.org/gems/restful-authentication/versions/1.2.1) hasn't been updated since September 6th, 2012 so it might not be a great idea to recommend that Rails users try it out. Devise seems like a much more popular and secure solution that automatically resets sessions on sign in and out so it's a great example in this case. /cc @tenderlove @josevalim | ||||
* | Change 'a HTTP' to 'an HTTP' [ci skip] | Santosh Wadghule | 2016-03-03 | 1 | -3/+3 |
| | |||||
* | Fixed grammatical errors in rails docs [ci skip] | Matt Michnal | 2016-02-09 | 1 | -2/+2 |
| | | | | | | Fixed errors in rails migrations docs [ci skip] Fixed errors in rails security docs [ci skip] | ||||
* | [ci skip] Fix grammar | Abhishek Jain | 2016-02-09 | 1 | -1/+1 |
| | |||||
* | use rails secret in rails guides | Ryo Hashimoto | 2016-02-03 | 1 | -1/+1 |
| | |||||
* | ApplicationRecord documentation pass | Genadi Samokovarov | 2015-12-17 | 1 | -1/+1 |
| | | | | | | | This is a pass over the documentation which fills the missing gaps of `ApplicationRecord`. [ci skip] | ||||
* | Fix a couple of grammatical errors in security.md | Existent Ltd | 2015-12-16 | 1 | -2/+2 |
| | |||||
* | Merge branch 'master' of github.com:rails/docrails | Vijay Dev | 2015-10-31 | 1 | -1/+1 |
|\ | |||||
| * | Improved `KeyError` messages on bang version, since commit ↵ | amitkumarsuroliya | 2015-10-11 | 1 | -1/+1 |
| | | | | | | | | https://github.com/rails/rails/commit/e768c519fb6015e00961702a5165c6dab548a954 bang version produces `KeyError` [ci skip] | ||||
* | | Improve readability in CSRF section of guide | Andy Lampert | 2015-10-07 | 1 | -4/+3 |
| | | |||||
* | | [ci skip] Change 'an URL' to 'a URL' as URL doesn't have a vowel sound | tanmay3011 | 2015-10-06 | 1 | -2/+2 |
| | | |||||
* | | Update text on CSS Injection / Myspace | Sean Collins | 2015-10-03 | 1 | -5/+3 |
|/ | | | | [skip ci] | ||||
* | Clarify CSRF <script> purpose and protection. Note how to deal with your own ↵ | Jeremy Daer | 2015-09-16 | 1 | -1/+3 |
| | | | | | | | | <script> tags. Ref #21618 [ci skip] | ||||
* | Improved explanation of the <script> tag CSRF behavior | Anshul Agrawal | 2015-09-14 | 1 | -1/+1 |
| | |||||
* | Merge branch 'master' of github.com:rails/rails | Vijay Dev | 2015-08-24 | 1 | -20/+20 |
|\ | | | | | | | | | Conflicts: guides/source/security.md | ||||
| * | Add bold to lists' titles [ci skip] | Alexey Markov | 2015-08-21 | 1 | -6/+6 |
| | | |||||
| * | Small fixes [ci skip] | Alexey Markov | 2015-08-20 | 1 | -12/+6 |
| | | |||||
| * | Small fixes [ci skip] | Alexey Markov | 2015-08-17 | 1 | -6/+5 |
| | | |||||
| * | Tiny documentation fixes [ci skip] | Robin Dupret | 2015-08-11 | 1 | -1/+6 |
| | | |||||
| * | [ci skip] Typo fixed | Dhia Eddine Chouchane | 2015-08-06 | 1 | -1/+1 |
| | | |||||
| * | Outdated information about session storage updated [ci skip] | Dhia Eddine Chouchane | 2015-08-06 | 1 | -2/+4 |
| | | | | | | | | The guide contains information about Rails 2 storing mechanism, but not Rails 4. Enhanced the accuracy and coherence of information (There was a part saying "Older versions of Rails use CookieStore, which uses `secret_token` instead of `secret_key_base` that is used by EncryptedCookieStore." while there was no mention of EncryptedCookieStore before) | ||||
* | | add commas removed earlier [ci skip] | Vijay Dev | 2015-08-24 | 1 | -1/+1 |
| | | |||||
* | | [ci skip] Fix to `a, b and c` format | yui-knk | 2015-07-25 | 1 | -1/+1 |
| | | |||||
* | | [ci skip] Fix minor typo | yui-knk | 2015-07-24 | 1 | -1/+1 |
| | | | | | | | | | | * Remove `,` * Fix `<`; -> `<` | ||||
* | | [ci skip] Minor fix | yui-knk | 2015-07-24 | 1 | -1/+1 |
|/ | | | | | * add a space * add a `.` | ||||
* | Add to Security guides the secrets.yml | Mauro George | 2015-07-06 | 1 | -0/+23 |
| | | | | [ci skip] |