如何针对 Firesheep 保护 Rails 应用程序?
我找不到一个简单的指南来保护 Ruby on Rails 应用程序免受 Firesheep 的影响.
I have not been able to find an easy guide for securing a Ruby on Rails app against a Firesheep.
如果您不知道,Firesheep 会在您的应用不强制使用 SSL 并在 cookie 中设置安全标志时插入会话 cookie.我不得不做一些搜索才能找到这两件事,所以我想我会在这里发布我找到的东西,看看是否还有我遗漏的东西.
In case you don't know, Firesheep jacks session cookies if your app doesn't force SSL and set the secure flag in the cookie. I had to do some searching to find these two things, so I thought I'd post what I found here and see if there is anything else I'm missing.
第 1 步强制 SSL
我发现有两种方法可以做到这一点.一种是使用 ssl_requirement 插件,但这很麻烦,因为您必须专门指定 ssl_required:action1, :action2
在每个控制器中.
There are two ways to do this that I found. One is using the ssl_requirement plugin, but this is a pain because you have to specifically specify ssl_required :action1, :action2
in every controller.
最好的方法似乎是使用机架中间件,通过这篇文章:在 Rails 2 应用程序中使用 ssl_requirement 强制 SSL.很有魅力.
The preferable way appears to be by using Rack Middleware, via this post: Force SSL using ssl_requirement in Rails 2 app. Works like a charm.
第 2 步确保 cookie 安全
Step 2 Make cookies secure
为此,我遵循了 这些说明,它告诉您将以下内容放入config/environment/production.rb
文件中:
For this I followed these directions, which tell you to put the following in your config/environment/production.rb
file:
config.action_controller.session = {
:key => 'name_of_session_goes_here',
:secret => 'you need to fill in a fairly long secret here and obviously do not copy paste this one',
:expire_after => 14 * 24 * 3600, #I keep folks logged in for two weeks
:secure => true #The session will now not be sent or received on HTTP requests.
}
这在我的 Rails 2.x 应用程序中非常简单.我错过了什么吗?Rails 3 有什么不同吗?
This was all pretty straight-forward on my Rails 2.x app. Did I miss anything? Is it different for Rails 3?
我觉得还不错.它在 Rails 3 中非常相似,但默认情况下会话配置存储在 config/initializers/session_store.rb 中.我通常会调整我的看起来像......
Looks pretty good to me. It's pretty similar in Rails 3, though by default the session config is stored in config/initializers/session_store.rb. I usually tweak mine to look something like...
MyApp::Application.config.session_store :cookie_store, :key => '_my_app_session',
:secure => Rails.env == 'production', # Only send cookie over SSL when in production mode
:httponly => true, # Don't allow Javascript to access the cookie (mitigates cookie-based XSS exploits)
:expire_after => 60.minutes
秘密保存在 config/initializers/secret_token.rb 中:
And the secret is held in config/initializers/secret_token.rb:
MyApp::Application.config.secret_token = 'secret secrets are no fun...'
如果您有权访问您的 Apache(或其他)配置,您还可以在该级别强制使用 SSL.我认为这是一个更合适的地方,但我想不是每个人都有这个选择.
If you have access to your Apache (or whatever) config, you can also force SSL usage at that level. Strikes me as a more appropriate place to do that, but I guess not everyone has that option.