From a88eb9087260cca256c6faba40bf538d4a0289b3 Mon Sep 17 00:00:00 2001 From: "yuuji.yaginuma" Date: Sun, 28 Jan 2018 16:00:33 +0900 Subject: Update `action_dispatch.default_headers` default value [ci skip] This was changed with 5d7b70f and 428939b. --- guides/source/security.md | 5 ++++- 1 file changed, 4 insertions(+), 1 deletion(-) (limited to 'guides/source/security.md') diff --git a/guides/source/security.md b/guides/source/security.md index ab5a5a7a31..de0b523057 100644 --- a/guides/source/security.md +++ b/guides/source/security.md @@ -1070,7 +1070,10 @@ Every HTTP response from your Rails application receives the following default s config.action_dispatch.default_headers = { 'X-Frame-Options' => 'SAMEORIGIN', 'X-XSS-Protection' => '1; mode=block', - 'X-Content-Type-Options' => 'nosniff' + 'X-Content-Type-Options' => 'nosniff', + 'X-Download-Options' => 'noopen', + 'X-Permitted-Cross-Domain-Policies' => 'none', + 'Referrer-Policy' => 'strict-origin-when-cross-origin' } ``` -- cgit v1.2.3 From 600c4138dd778f4e5633846b5b68a89dbb77193d Mon Sep 17 00:00:00 2001 From: Daniel Colson Date: Sun, 28 Jan 2018 17:44:01 -0500 Subject: Remove joke in security guide [ci skip] I think this is a joke, although not a great one. It's mildly unprofessional, so I think we should get rid of it. --- guides/source/security.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) (limited to 'guides/source/security.md') diff --git a/guides/source/security.md b/guides/source/security.md index ab5a5a7a31..724d952d4e 100644 --- a/guides/source/security.md +++ b/guides/source/security.md @@ -551,7 +551,7 @@ Here are some ideas how to hide honeypot fields by JavaScript and/or CSS: * make the elements very small or color them the same as the background of the page * leave the fields displayed, but tell humans to leave them blank -The most simple negative CAPTCHA is one hidden honeypot field. On the server side, you will check the value of the field: If it contains any text, it must be a bot. Then, you can either ignore the post or return a positive result, but not saving the post to the database. This way the bot will be satisfied and moves on. You can do this with annoying users, too. +The most simple negative CAPTCHA is one hidden honeypot field. On the server side, you will check the value of the field: If it contains any text, it must be a bot. Then, you can either ignore the post or return a positive result, but not saving the post to the database. This way the bot will be satisfied and moves on. You can find more sophisticated negative CAPTCHAs in Ned Batchelder's [blog post](http://nedbatchelder.com/text/stopbots.html): -- cgit v1.2.3 From 013fd84373ca5dd49d42170a82648ada5a2025bb Mon Sep 17 00:00:00 2001 From: Daniel Colson Date: Wed, 7 Feb 2018 18:00:03 -0500 Subject: Remove password anecdotes from guides [ci skip] --- guides/source/security.md | 12 ------------ 1 file changed, 12 deletions(-) (limited to 'guides/source/security.md') diff --git a/guides/source/security.md b/guides/source/security.md index 74256c7b84..28ddbdc26a 100644 --- a/guides/source/security.md +++ b/guides/source/security.md @@ -573,18 +573,6 @@ config.filter_parameters << :password NOTE: Provided parameters will be filtered out by partial matching regular expression. Rails adds default `:password` in the appropriate initializer (`initializers/filter_parameter_logging.rb`) and cares about typical application parameters `password` and `password_confirmation`. -### Good Passwords - -INFO: _Do you find it hard to remember all your passwords? Don't write them down, but use the initial letters of each word in an easy to remember sentence._ - -Bruce Schneier, a security technologist, [has analyzed](http://www.schneier.com/blog/archives/2006/12/realworld_passw.html) 34,000 real-world user names and passwords from the MySpace phishing attack mentioned [below](#examples-from-the-underground). It turns out that most of the passwords are quite easy to crack. The 20 most common passwords are: - -password1, abc123, myspace1, password, blink182, qwerty1, ****you, 123abc, baseball1, football1, 123456, soccer, monkey1, liverpool1, princess1, jordan23, slipknot1, superman1, iloveyou1, and monkey. - -It is interesting that only 4% of these passwords were dictionary words and the great majority is actually alphanumeric. However, password cracker dictionaries contain a large number of today's passwords, and they try out all kinds of (alphanumerical) combinations. If an attacker knows your user name and you use a weak password, your account will be easily cracked. - -A good password is a long alphanumeric combination of mixed cases. As this is quite hard to remember, it is advisable to enter only the _first letters of a sentence that you can easily remember_. For example "The quick brown fox jumps over the lazy dog" will be "Tqbfjotld". Note that this is just an example, you should not use well known phrases like these, as they might appear in cracker dictionaries, too. - ### Regular Expressions INFO: _A common pitfall in Ruby's regular expressions is to match the string's beginning and end by ^ and $, instead of \A and \z._ -- cgit v1.2.3