Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Go through the security checklist #103

Open
7 tasks
eugenk opened this issue Apr 14, 2017 · 0 comments
Open
7 tasks

Go through the security checklist #103

eugenk opened this issue Apr 14, 2017 · 0 comments
Labels
meta-issue

Comments

@eugenk
Copy link
Member

eugenk commented Apr 14, 2017
edited
Loading

See https://github.com/brunofacca/zen-rails-security-checklist.
Some of this is only applicable to apps with html views, but some of it is very important for the API-side as well.

Update (16 Nov 2017)

I went through the checklist and these are the points which we need to pay a little bit more attention to:

Authentication

  • Expire the session at log out and expire old sessions at every successful login. Mitigates CSRF, session hijacking and session fixation attacks by reducing their time-frame.

    Backend: We would need to have a column session_key for a User that is re-written on every sign-in. A sign-out would delete the session_key. This requires a signOutMutation. Authentication only happens if the correct session_key is inside the JWT.

    Frontend: Sign-out not only deletes the JWT in the browser, but also invalidates the session_key

  • Expire sessions after a period of inactivity (e.g., 30 minutes). Mitigates CSRF, session hijacking and session fixation attacks by reducing their time-frame.

    Backend: We do have an expiration time in the JWT but, currently, we don't check it during authentication.

  • Consider using two-factor authentication (2FA) as provided by Authy. Provides a highly effective extra layer of authentication security.
    Devise: see the devise-two-factor and authy-devise gems.

HTTP & TLS

Security-related headers

Security Tools

  • Run Brakeman before each deploy. If using an automated code review tool like Code Climate, enable the Brakeman engine.

  • Consider using a continuous security service such as Detectify.

    Detectify automatically scans the application for several hundred security vulnerabilities. It even has a free plan for nonprofit organisations (but only one domain/subdomain). They need to be contacted by mail in this case.

  • Consider using a Web Application Firewall (WAF) such as
    NAXSI for Nginx,
    ModSecurity for Apache and Nginx.
    Mitigates XSS, SQL Injection, DoS, and many other attacks.
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
meta-issue
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
2 participants
@eugenk @phyrog