Developing secure web apps with Ruby on Rails

October is National Cyber Security Awareness Month, so we asked Florin, our Head of Web Development at Wolfpack Digital if he has any suggestions on how to improve your web app security and to provide us with tips to build a web application with Ruby on Rails. 

At Wolfpack Digital we use the latest technologies, which allow us to build secure and optimal solutions across different industries. This means making sure development is efficient while building powerful and scalable apps considering data privacy, app security, pixel-perfect design and well-written code at the core, no matter if it is a fintech app, healthcare app, or any other web application. And here are a few insights on how to build secure web apps based on our team of developers experience!

A short guide to build secured web applications

• Use https protocols and Secure Sockets Layer (SSL) certificates to create an encrypted connection within your web app and establish trust (and security) amongst your customers
   
• Increase your website or app performance and security by using CloudFlare. This will provide faster access to your web app as Cloudflare caches and serves up at each data center around the world, so your visitors will connect to the nearby server. Besides faster load times, it supports a lower bandwidth usage, an increase in your website content performance, and higher security for your digital product when it comes to malicious traffic, DDoS attacks, SQL injection, or denial of service attacks.
   
• Sanitize user input to prevent web attacks. Similar to the pandemic, if we do not sanitize well, the viruses will get us. In the software development world, we keep the users safe by sanitizing input data. The process is quite simple and straightforward: each digital product (or most of them, for sure) has a pool of customers (known as users) and a server and in order to use the product there is a data exchange between the user and the said server. Most users are nice and send the data needed for the product to work, but if we think about hackers or just bad guys, then one can try to send malicious or unauthorized data to the product’s server and cause harm. 

And, according to Oracle, sanitizing your inputs refers to the validation of a set of criteria and ensuring that it is valid - basically, have a set of must-have checks in your inputs (such as a string contains no standalone single quotation marks) and ensure it is valid (such as a string contains no standalone single quotation marks). Combining validation and sanitization will provide an in-depth defense of your web application. 

• Prevent SQL Injections

If you skip any sanitization or escaping, there is a high risk for your web app to be exposed to vulnerabilities like unauthorized activity or untrusted data inserted in a SQL query. This is called SQL injection and this type of attack manipulates your parameters to influence your database and bypass authorization. Preventing SQL Injections when developing web applications with Ruby on Rails can be done by using dynamic attribute-based finders (and avoid passing a string as an argument, unless it is a dynamic finder), do not accept or/and construct values from “commands”, but from “inputs”. 

Fortunately, Rails provides help in defending against code injection through its automatically escaped plain strings, the sanitize helper while still specifying the tags you want to allow through for your input.

• Whitelist parameters

Whitelists are a great method to create strong parameters while considering the fact that we, humans, forget things. Blacklisting means making a list of bad things we do not like, but we usually make a list of things we think of at the moment of making the list - and we tend to forget a lot of items (E.g., a list of spam emails). While whitelisting refers to a list of things we approve of (E.g., accept only emails using your company domain to log in within certain apps/accounts). 

When it comes to whitelisting parameters, as a web app owner you can set all the actions and details you want as input and ensure you allow only secured details within your app servers (e.g., use filters like :only => […] instead of :except => […].

• Ensure token expiration and deactivation, and encrypt all cookies.

Most authentication methods are now token-based as an alternative to session-based authentication. This means that a token-based authentication will create a unique encoded token to be checked every time a request is made, without storing the data. But each token should have a set lifetime value. While the session-based authentication will store a set of criteria or data about each user, hence it should be encrypted. 

• Use bcrypt to hash and salt passwords. 

No matter the web app you have, there will always be a need for usernames and passwords to be validated (or at least we hope so). By hashing a password you basically transform apply an algorithm designed to take a string of any length as input and produce a fixed-length hash value. And salting it is not about spicing thing up, but it ensures that if you have two people with exactly the same password, the hash will be different because it will add a string of irregular data based on details such as computer type, OS, timezone, etc., and some other factors to the beginning of a password before it is hashed. 

Building an app using Rails provides you with a gem called bcrypt to securely store passwords and to easily handle setting, (some) validating, salting, hashing, and authenticating passwords.

• Don’t store credentials from third parties (or other sensitive data) in the projects directly, we either store them as ENV vars or keep them encrypted in the project (e.g., rails credentials)

There are many other measures you can take to up your game in terms of development and security using Rail, but we highly recommend you to check the official guide on Securing Rails Applications. Or just ask us and we will guide through the entire web app development process and build a flawless application for you!