…secure express.js apps : don't run as root, secure your sessions, security headers and CSRF.
§ jeremydmiller :
I think there's a Heisenberg Uncertainty Principle thing w/ software process. Measuring my "progress" has an impact on my progress
§ And now for some local news: South Bay couple kidnap handyman, force him to repair household appliances .
My personal understanding of Rails up until an hour ago was that a CSRF violation would raise an exception. This would practically never get seen by a legitimate user operation, so few people are aware of that, but I had seen it a time or two when security auditing BCC. (Some of my geeky friends had, back in the day, exploited BCC with a CSRF and helpfully told me how to fix it. Naturally, after fixing it I verified that the site worked as expected with the fix.)
So if the CSRF …
- Merbist: Deploying a Rails 3.1 app - gotchas
- Andrzej on Software: Rails is not MVC
- giant robots smashing into other giant robots: This week in open source
- igvita.com: Rails 3 Asset Pipeline & Google Closure
- Global Nerdy: Salmagundi for Monday, August 22, 2011
- Envy Labs: Using the Asset Pipeline outside of Rails - Serving CoffeeScript and SASS
Devise 1.1.6 has just been released and it follows Rails 3.0.4 release. Rails 3.0.4 changes how CSRF works and adds a new method called handle_unverified_request that should be properly overridden by authentication frameworks. Devise 1.1.6 implements this method and others small security fixes.
If you have updated to Rails 3.0.4, you must update to Devise 1.1.6 . Those using Devise 1.2.rc should use master for awhile, another RC is coming soon. For more information, check out the CHANGELOG .
- Comments on: blog: Link dump for December 16th
- Kalzumeus Software: Security Lessons Learned From The Diaspora Launch
- Riding Rails - home: Community Highlights
- casperfabricius.com: Google Apps OpenID with Rails and Devise
- Ruby Inside: How Santiago Pastorino Went From Ruby Newbie to Rails Core in 2 Years
- RailsCasts: Episode 210: Customizing Devise
There are two major changes in this fix, the behaviour when CSRF protection fails has changed and the token will now be required for all non-GET requests.
After applying this patch failed CSRF requests will no longer generate HTTP 500 errors, instead the session will be reset. Users can override this behaviour by overriding handle_unverified_request in their own controllers.
Users must still take care that users cannot be auto logged in via non-session data. For example, an application …
- Plataformatec Blog: Devise Security Release 1.1.6
- Kalzumeus Software: I Saw An Extremely Subtle Bug Today And I Just Have To Tell Someone
- Phusion Corporate Blog: Phusion Passenger 2.2.14 released
…app showing SWFUpload working in tandem with restful-authentication, CSRF protection and paperclip.
Heresy is a schema free wrapper around your database, heavily inspired by both CouchDB and FriendFeed.
A simple jQuery plugin for showing a text field's label inside the textbox itself. The hint disappears when it is given focus, and appears again if the inputted text is empty. Typically used for search …
- Katz Got Your Tongue?: Clarifying the Roles of the .gemspec and Gemfile
- has_many :bugs, :through => :rails: My Rails guides
- giant robots smashing into other giant robots: Fishing for trout in our suspenders
- PeepCode Products: Meet Rails 3 Part II
- Engine Yard Developer Blog: Virtualize This - Instant Rails in a Virtual Box
- RubyLearning Blog: Why Use Single Sign-in Solutions in Rails?