eliotsykes / rails-security-checklist Public

Notifications You must be signed in to change notification settings
Fork 97
Star 1.4k

Code
Issues 69
Pull requests
Actions
Projects
Security
Insights

Additional navigation options

Code
Issues
Pull requests
Actions
Projects
Security
Insights

Issues: eliotsykes/rails-security-checklist

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

69 Open 3 Closed

Author

Filter by author

Label

Filter by label

Use alt + click/return to exclude labels

or ⇧ + click/return for logical OR

Projects

Filter by project

Milestones

Filter by milestone

Assignee

Filter by who’s assigned

Assigned to nobody

Sort

Sort by

Newest Oldest Most commented Least commented Recently updated Least recently updated Best match

Most reactions

Issues list

Sensitive data in logs: Check ActiveRecord::Base.filter_attributes has intended value, it is brittle

#87 opened Jan 1, 2024 by eliotsykes

Setup GitHub's CodeQL scanner on repo to find vulnerabilities

#86 opened Nov 3, 2023 by eliotsykes

Turbo signed-stream-name never expires

#85 opened Sep 11, 2023 by eliotsykes

Beware ransack < v4 insecure defaults

#84 opened Aug 30, 2023 by eliotsykes

Consider setting config.active_storage.draw_routes = false in production, if not used

#82 opened Mar 23, 2022 by eliotsykes

On logout, sessions should be invalidated to mitigate stolen cookie attacks

#81 opened Jan 26, 2022 by eliotsykes

Protect against open redirects

#80 opened Aug 9, 2021 by eliotsykes

Invalidate sessions on logout

#79 opened Jul 28, 2021 by eliotsykes

Mitigate Host Header Attacks

#78 opened May 6, 2021 by eliotsykes

Favor stronger digest algos in Rails config

#77 opened Mar 2, 2021 by eliotsykes

Always use Bundler source blocks to ensure private gems come from correct source

#76 opened Feb 19, 2021 by eliotsykes

Beware internal/private gem name duplicated and replaced by attacker's public gem (dependency confusion)

#75 opened Feb 19, 2021 by eliotsykes

Calendar recurring review of Stripe (et al.) plans, coupons to retire if no longer needed

#74 opened Nov 9, 2020 by eliotsykes

Review gem update diffs for security using Diffend.io

#73 opened Oct 15, 2020 by eliotsykes

Beware constantize

#72 opened Sep 21, 2020 by eliotsykes

Remove unused code

#71 opened Aug 19, 2020 by eliotsykes

Remove unused routes (traceroute gem)

#70 opened Aug 19, 2020 by eliotsykes

Heroku's router logs sensitive query strings (no mitigation yet)

#69 opened Aug 13, 2020 by eliotsykes

Devise registerable module may allow attackers to register themselves as staff/admins

#68 opened Aug 11, 2020 by eliotsykes

OWASP guidelines on max password length

#67 opened Jul 24, 2020 by eliotsykes

Consider mentioning chamber for securing secrets

#66 opened Apr 19, 2020 by eliotsykes

Use secure default to disable logging job arguments

#65 opened Nov 18, 2019 by eliotsykes

Place throttles close to the code they are protecting

#64 opened Aug 27, 2019 by eliotsykes

Prefer unminified, easy to review JS files

#63 opened Aug 27, 2019 by eliotsykes

Keep JS libs up-to-date

#62 opened Aug 27, 2019 by eliotsykes

Previous 1 2 3 Next

Previous Next

ProTip! Follow long discussions with comments:>50.

Provide feedback

Saved searches

Use saved searches to filter your results more quickly