The RailsNotes Newsletter 🟥 ISSUE #19

🟥 ISSUE #19 (Rails security, SQL injection, hardening Devise, Lockbox)

Author

Harrison Broadbent
November 17, 2023

Your secure Rails app keeping hackers at bay, after implementing these security tips 😅 💥 

— SPONSOR —

Learn about subqueries, materialized views, and custom data types in Postgres and Rails with real examples, and real code. 

Welcome to The RailsNotes Newsletter — Issue #19! This issue is all about application security!

Nearly up to Issue #20! It’s getting hard to keep coming up with ideas 😅 If you’ve got any, I’d love to hear them! This week you probably saw me sharing RAILSG on Twitter; It’s since been picked up and shared heaps, including in two other Ruby newsletters! The site has been visited over 1k times this week! 🤯 

Over 1000 Rails devs (like yourself!) have played around with railsg.xyz!

This week’s newsletter is all about securing your Rails app. Often overlooked, but important (especially if your app gets some traction!). This edition is essentially just an ode to Andrew Kane; he’s written most of the articles in this edition (but they’re great!) 😅 

Before we start, don’t forget to grab the the free advanced database e-book from PgAnalyze (our sponsor), since it’s actually pretty great! It’s got a couple of great diagrams like the one below, and lots of handy code examples and breakdowns of a few advanced database techniques (subqueries, materialized views, custom types etc.) —

Let’s dive into the newsletter!

~ FEATURED ARTICLE ~

Lock that baby (your production Rails app with real user data ) up! 🔐 

Andrew Kane is prolific in the Rails space for all the packages and guides he’s published for us developers. This particular guide is a collection of security tips and best practices for Ruby on Rails apps, and is packed with clear, actionable tips to make your app more secure.

From forcing SSL encryption, to encrypting data in your database, using static analysis tools like brakeman and more — Andrew covers it all in this surprisingly short GitHub document.

Well worth a read, particularly if you’ve got a live Rails app with real user data stored (less relevant to random toy apps and tiny side projects).

(Andrew Kane’s work makes up ¾ of all the articles in this newsletter 👀 he’s one of the only people actively writing about and building solutions for Rails security, that I’ve found)

~ MORE ARTICLES  ~

This is a collection of heaps of different SQL injection methods and examples specific to Ruby on Rails apps.

This was pretty eye-opening! I’ve known of SQL injection for a while, but I’d never actually seen it in practice. This article was the perfect intro, with tons of great code examples. tldr: don’t ever pass raw params into a SQL/ActiveRecord statement! A looooot of things can go wrong 💥 👾 

I use Devise, you probably use Devise, most of us are probably using Devise! This article looks at Devise through a security lens and covers ways to make it more secure.

The main things here are sending emails for password/email changes, rate-limiting logins, and using the AuthTrail gem to track logins. Worth a quick read, and it links out to more articles at the bottom if you’re keen to keep going down the security rabbit hole 🐇 

Andrew’s third article for this edition! This one covers securing user emails with Lockbox, his Rails gem for encrypted columns.

Even though this article focuses on emails, you can apply the same principles to encrypt any column in your Rails app, like birthdates, sensitive tokens etc.

~ ⚒️ HANDY TIP ~ 

→ Force SSL in production

Forcing SSL in production is a dead-simple win for your app security, and Rails makes it easy.

This tip is from Secure Rails (above), and it’s short and sweet. Rails gives you an easy way to force SSL, which forces all traffic to use HTTPS (which encrypts all data in transit)

# config/environments/production.rb
#
config.force_ssl = true