awesome-rails-security
A curated list of security resources for a Ruby on Rails application
https://github.com/0xedward/awesome-rails-security
Last synced: 3 days ago
JSON representation
-
Security Vulnerability Advisories
-
Logging and Monitoring
- ruby-security-ann - Another mailing list to get security announcements for Ruby, Rails, Rubygems, Bundler, and other Ruby ecosystem projects
- Synk - Vulnerability DB
- Synk - Vulnerability DB
- Ruby on Rails: Security - A mailing list to get security announcements for Ruby, Rails, Rubygems, Bundler, and other Ruby ecosystem projects
- Ruby-Lang - Security - A newsfeed for security vulnerabilities in the Ruby programming language
-
-
Resources
-
Labs - Vulnerable Applications
- Checkmarx - Codebashing - Lessons on common vulnerabilities implemented in Rails. Lessons on SQL Injection, XXE and Stored XSS are free.
- PentesterLab - Provides some vulnerable Rails environments to learn about security vulnerabilities, such as [CVE-2019-5420](https://pentesterlab.com/exercises/cve-2019-5420)
- Checkmarx - Codebashing - Lessons on common vulnerabilities implemented in Rails. Lessons on SQL Injection, XXE and Stored XSS are free.
- OWASP RailsGoat - A vulnerable version of the Ruby on Rails Framework from versions 3 to 5. It includes vulnerabilities from the OWASP Top 10, as well as some "extras" that the initial project contributors felt worthwhile to share. This project is designed to educate both developers, as well as security professionals.
- DeleteMe - Educational insecure Rails application
- PentesterLab - Provides some vulnerable Rails environments to learn about security vulnerabilities, such as [CVE-2019-5420](https://pentesterlab.com/exercises/cve-2019-5420)
-
Best Practices
- OWASP - Ruby on Rails Security Guide
- Ruby on Rails Security Basics
- Level Up Your Security in Rails
- Preproduction Security Checklist for a Rails App
- Rails Security Strategy Book
- Rails Security Checklist
- OWASP - Ruby on Rails Security Guide
- The Ruby Security Handbook
- Level Up Your Security in Rails
- rails-bestpractices.com - A newsfeed of code snippets on what practices should and should not be done in Rails
- OWASP - Ruby on Rails Cheatsheet - A cheatsheet that intends to provide quick basic Ruby on Rails security tips for developers. It complements, augments or emphasizes points brought up in the rails security guide from rails core
- Preventing security issues in Ruby on Rails (based on OWASP cheatsheet)
- secure_rails
- Securing Sensitive Data in Rails
- production_rails
- Ruby on Rails Security: Best Practices
- Ruby on Rails Security Basics
- Ruby on Rails Security 17-Item Checklist
- Securing Ruby on Rails Web Applications
- Ruby on Rails Web Application Vulnerabilities: How to Make Your App Secure
- Ruby on Rails Security Guide
-
Anti-Patterns
-
Additional Reading
- Attacking Ruby on Rails Applications
- The Evolution of Rails Security
- Rails Security: above and beyond the defaults
- Fixing Command Injection Vulnerabilities in Ruby/Rails
- Fixing File Access Vulnerabilities in Ruby/Rails
- Fixing SQL Injection Vulnerabilities in Ruby/Rails
- Fixing Command Injection Vulnerabilities in Ruby/Rails
- Fixing File Access Vulnerabilities in Ruby/Rails
- Fixing SQL Injection Vulnerabilities in Ruby/Rails
-
Official Resources
- Rails - Securing Rails Applications - This manual describes common security problems in web applications and how to avoid them with Rails
-
-
Reporting Bugs
-
Additional Reading
-
-
Gems
-
Authentication and OAuth
- Warden - General Rack Authentication Framework
- Devise - Flexible authentication solution for Rails with Warden
- Devise Security - A Devise extension to add additional security features required by modern web applications
- AuthLogic - An unobtrusive ruby authentication library based on ActiveRecord
- OmniAuth - A library that standardizes multi-provider authentication for web applications
- JWT - A ruby implementation of the RFC 7519 OAuth JSON Web Token (JWT) standard
- Knock - Seamless JWT authentication for Rails API
-
Request Management
- Secure Headers - Manages application of security headers with many safe defaults
- Rack::Attack - Rack middleware for blocking & throttling
- ssrf_filter - A ruby gem for defending against Server Side Request Forgery (SSRF) attacks
-
Static Code Analysis
- RoboCop - A Ruby static code analyzer and formatter, based on the community Ruby style guide
- Brakeman - A static analysis security vulnerability scanner for Ruby on Rails applications
- bundler-audit - Patch-level verification for Bundler
- Ruby Advisory Database - A database of vulnerable Ruby Gems. You can check your own Gemfile.locks against this database by using bundler-audit.
- dawnscanner - A source code scanner designed to review your ruby code for security issues
-
Rate Limiting
- ReCaptcha - A plugin that adds helpers for the reCAPTCHA API
-
Authorization
- CanCanCan - An authorization library for Ruby and Ruby on Rails which restricts what resources a given user is allowed to access.
- Pundit - Pundit provides a set of helpers which guide you in leveraging regular Ruby classes and object oriented design patterns to build a simple, robust and scaleable authorization system
-
File Upload
- CarrierWave - A gem that provides a simple and extremely flexible way to upload files from Ruby applications
-
Logging and Monitoring
- Exception Notification - A gem that provides a set of notifiers for sending notifications when errors occur in a Rack/Rails application
-
Password Strength
- zxcvbn-ruby - Ruby port of zxcvbn.js (Low-Budget Password Strength Estimation)
-
-
Tools
-
Logging and Monitoring
- Sqreen - Unified security monitoring and protection for modern cloud & on-prem environments
- Report URI
-
Static Code Analysis
- rails_best_practices - A code metric tool to check the quality of Rails code
- Hawkeye scanner-cli - A project security, vulnerability and general risk highlighting tool
- git-secrets - Prevents you from committing passwords and other sensitive information to a git repository
- GuardRails - Continuous security feedback for your GitHub repositories
- Hakiri - Hakiri monitors Ruby apps for dependency and code security vulnerabilities
-
Programming Languages
Sub Categories
Keywords
ruby
11
security
7
rails
6
security-audit
4
vulnerabilities
3
security-tools
2
ruby-on-rails
2
oauth-json-web
1
ruby-jwt
1
checklist
1
rails-security
1
rails-security-checklist
1
security-hardening
1
bundler-audit
1
dependency-checker
1
patch-management
1
ruby-advisory-db
1
appsec
1
jwt-token
1
jwt
1
static-analysis
1
security-vulnerability
1
brakeman
1
cancancan
1
authorization
1
yaml
1
security-advisories
1
rubysec
1
metadata
1
advisory-files
1
xframe-options
1
secure-headers
1
referrer-policy
1
rack
1
middleware
1
hsts
1
csp
1
cookie
1
content-security-policy
1
ssrf
1
server-side-request-forgery
1
gem
1
session-management
1
passwords
1
password-expiration
1
mongoid
1
devise-modules
1
devise
1
activerecord
1
sinatra
1