Chapter 5. Security

Given a choice between dancing pigs and security, users will pick dancing pigs every time.

—Ed Felten and Gary McGraw

Security issues are often overlooked on smaller sites or low-traffic applications; unfortunately, the reach of the Web has expanded to a point where end-to-end security is essential on any public-facing web site. There actually are people with nothing better to do than run a distributed denial-of-service attack on “Aunt Edna’s Funny Cat Pictures.” Nobody can afford to ignore the dangers that face a site simply as a consequence of being accessible on the Internet.

In this chapter, we will take a top-down approach to examining the various security-related issues that plague web application developers. We start by examining the architectural, application-level principles you should keep in mind. Later, we will get progressively more detailed. We will examine the security-related issues you should keep in mind when working at a lower level in Rails.

Application Issues

First, we will examine some important principles that should guide the design of any web application.


The most important guideline in the area of authentication is simple:

          Always salt and hash all passwords!

There are very few valid exceptions to this rule, and even fewer apply to web applications. The only possible reason to store passwords in plain text is if they must be provided to an external service in plain text. Even then, the passwords should be symmetrically ...

Get Advanced Rails now with the O’Reilly learning platform.

O’Reilly members experience live online training, plus books, videos, and digital content from nearly 200 publishers.