xdite/checlist.md

Created May 21, 2013 07:19

Star () You must be signed in to star a gist
Fork () You must be signed in to fork a gist

Learn more about clone URLs
Clone this repository at <script src="https://gist.github.com/xdite/5618045.js"></script>
Save xdite/5618045 to your computer and use it in GitHub Desktop.

Download ZIP

Raw

checlist.md

Security is Hard

Massive Assignment

watch for ActiveRecord Relation, like has_many, has_many :through
watch for user_roles, `group_users
UPDATE action

Admin

use https://
use subdmoain
use different domain
Add Whitelist
don't use database attributes for admin?
3rd party is an option github

Routing

remove match ':controller(/:action(/:id(.:format)))'
avoid match

HTML escape

watch for list, breadcrumb
break complexy HTML helper to partials
don't concat HTML in helper
watch for TinyMCE content
sanitize the tags

Search

watch form search functions
actions with complex options, ex [:date],[:order],[:field]
actions with complex joins
avoid find_by_sql, count_by_sql

Opensource Project

replace secret_token.rb after cloing opensource project
release opensource project, set token in ENV['SECRET_TOKEN']
release opensource project, set .gitignore to secret_token.rb

Scopes

watch for EDIT, UPDATE, DESTROY
using scopes filter to filter out illegal access as 404
use cancan to authorize resources

Upgrade

upgrade Rails version > 3.2.11

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment