如何针对 Firesheep 保护 Rails 应用程序?

我找不到一个简单的指南来保护 Ruby on Rails 应用程序免受 Firesheep 的影响.

I have not been able to find an easy guide for securing a Ruby on Rails app against a Firesheep.

如果您不知道，Firesheep 会在您的应用不强制使用 SSL 并在 cookie 中设置安全标志时插入会话 cookie.我不得不做一些搜索才能找到这两件事，所以我想我会在这里发布我找到的东西，看看是否还有我遗漏的东西.

In case you don't know, Firesheep jacks session cookies if your app doesn't force SSL and set the secure flag in the cookie. I had to do some searching to find these two things, so I thought I'd post what I found here and see if there is anything else I'm missing.

第 1 步强制 SSL

我发现有两种方法可以做到这一点.一种是使用 ssl_requirement 插件，但这很麻烦，因为您必须专门指定 ssl_required:action1, :action2 在每个控制器中.

There are two ways to do this that I found. One is using the ssl_requirement plugin, but this is a pain because you have to specifically specify ssl_required :action1, :action2 in every controller.

最好的方法似乎是使用机架中间件，通过这篇文章:在 Rails 2 应用程序中使用 ssl_requirement 强制 SSL.很有魅力.

The preferable way appears to be by using Rack Middleware, via this post: Force SSL using ssl_requirement in Rails 2 app. Works like a charm.

第 2 步确保 cookie 安全

Step 2 Make cookies secure

为此，我遵循了 这些说明，它告诉您将以下内容放入config/environment/production.rb 文件中:

For this I followed these directions, which tell you to put the following in your config/environment/production.rb file:

config.action_controller.session = {
    :key     => 'name_of_session_goes_here',
    :secret          => 'you need to fill in a fairly long secret here and obviously do not copy paste this one',
    :expire_after    => 14 * 24 * 3600, #I keep folks logged in for two weeks
    :secure => true #The session will now not be sent or received on HTTP requests.
  }

这在我的 Rails 2.x 应用程序中非常简单.我错过了什么吗?Rails 3 有什么不同吗?

This was all pretty straight-forward on my Rails 2.x app. Did I miss anything? Is it different for Rails 3?