Chapter 11. Security


Security is important to some degree in most software, but is especially important in web applications because of the public nature of the Internet. In many cases, some part of your application is accessible to anyone or any script that may potentially be trying to attack it. The motivation for the attack is usually impersonal; many scripts automatically hunt the Web for known vulnerabilities. In some cases, your application may contain information that is worth trying to steal, such as credit card numbers or other personal information about your application’s users.

The best approach is to treat all your applications with care when it comes to securing them from attackers. That way, the skills and best practices you use will become good habits that you can apply to all your projects.

The two big security categories for web applications are SQL injection and cross-site scripting (XSS). Other attacks could come from your server becoming compromised by some other type of network attack or by a compromised user account.

Keep this basic rule in mind: filter input, escape output.

Hardening Your Systems with Strong Passwords


Short, guessable passwords represent a serious security risk to your servers and the services that run on them. You want a reliable system for creating sufficiently strong passwords or passphrases, and a way to manage them.


Generating strong passwords or passphrases is one of the most important things you can do to protect ...

Get Rails Cookbook now with O’Reilly online learning.

O’Reilly members experience live online training, plus books, videos, and digital content from 200+ publishers.