DEV Community

Cover image for Ruby on Rails Security: 8 Best Practices
Karishma Vijay for SoluteLabs

Posted on • Originally published at

Ruby on Rails Security: 8 Best Practices

When creating a website application, one of the key focus areas should be security. It is crucial to protect customer data and prevent low-key vulnerabilities like content spoofing or CSRF to manage business continuity.

While developers can use numerous frameworks to secure their web applications, they should avoid relying on in-built security features to secure various applications from unauthorized access. While no form of security is appropriate to sandbox the applications, only webmasters have high capabilities to minimize this risk using frameworks.

So knowing the challenges, creating a secure Rails application proves beneficial. Following the best practices for Ruby on Rails Security ensures seamless web development with utmost security. Besides, relying on the best team of developers to power your apps with Ruby on Rails helps aim for robust application solutions across a wider market vertical.

What is Ruby on Rails?

Ruby on Rails is an open-source web application development framework which is written in Ruby programming language. It was developed by Yukihiro Matsumoto ("Matz") in 1995 and was meant to be object-oriented, easy to optimize by developers, and intuitive. This open-source, general-purpose programming language is also flexible, portable, and highly demanding.

The Ruby on Rails framework simplifies web application creation by providing default structures for a developer's code, databases, and the web pages that a particular application will serve. It uses the Model-View-Controller (MVC) architectural pattern, which separates the application code into three parts - The model, the view & the controller.

This pattern makes Rails flexible and useful for all types of web applications.

Securing Rails Applications Best Practices:

1. Force SSL

We can force the Rail application to employ and use a secure network using HTTPS protocol. This setting does the following -

  • Rails redirect a request for the HHTP version of the app to the HTTPS protocol every time.
  • It directs the internet browser to remember the app as Transport Layer Security (TLS)-only. TLS is an extension of the HTTPS protocol.
  • It sets up a secure flag on cookies. Due to this, browsers never send cookies with HTTP requests.

2. Secure Environment Differentiates

A common advice for developers is to never hardcore the API keys, access passwords, and sensitive login credentials in the source code. There is a likable chance of making them public accidentally or giving someone unauthorized access to other crucial app resources.

The secure Ruby application offers a secure way of storing credentials, but its implementation differs based on the framework's version.

  • Rails 4: This feature is known as 'secrets'. We can store sensitive data in a config/secrets.yml file, not tracked in the git repository.
  • Rails 5: We can encrypt sensitive information in config/credentials.yml.enc, and modify it with the config/master.key file. The feature is called 'credentials'. Simultaneously, while the YAML configuration document can be stored in the repository since it's encrypted, we need not monitor the master.key file.
  • Rails 6: Known as 'credentials', we can place credentials based on the environment. As a result, we can access the encrypted YAML document & key to decrypt it for every environment.

Click here to know more about “What's new with Ruby on Rails 7”

Alternatively, we can also set the goals on the server level. This lets it load only on the server side. Locally, we can also set them individually.

3. Authenticity_token

Rails protects web applications against CSRF or Cross-Site Request Forgery. This happens by including a token named authenticity_token in HTML responses. It is stored in a user's session cookies. The session comprises a hash of values and session IDs and is included in cookies.

Hence, every cookie sent to the user's browser has the session ID, which is a 32-character string. In Rails, we can use the following method to retrieve and save values:

Session [:user_id]


User. find (session [: user_id])

4. Model View Controller

Cross-site scripting gets exploited when the web fails to monitor the input from users (HTML, Javascript). This is one of the best Ruby on Rails built-in security features, which makes it quick to sanitize the user's data with the Model View Controller.

Any data stored or retrieved is passed via a model. We can also sanitize the input/output in our view using the sanitize method. It encodes various tags & strips those which are blacklisted.

5. Avoiding loops and using each method with a block

While loops are common and accepted without hesitation in most other programming languages, in Ruby, we should universally avoid them. This is because loops are less space efficient than using each method and passing it as a block. Variables representing each element are stored.

If you are a Rails webmaster, be extra cautious when blacklisting and whitelisting XSS payloads. The reason is that JavaScript is a dynamic language, unlike SQL. Therefore, there is always a chance to blacklist every XSS payload.

6. Fat Model, Skinny Controller

Here, you must write the code in your model and the controller, which follows the DRY principle. The DRY principle depicts that "every piece of knowledge must have a single, unambiguous, authoritative representation inside a system."

Another one of the Ruby on Rails best practices is to keep non-response-related logic out of controllers. This includes business logic or persistence/model-changing logic. Sometimes a logic might not seem to fit into the context of any model or controller. We must use our judgment to determine the best placement in those instances.

Some tips that we can follow here are -

  • Ensuring the controllers are only making simple queries to the model
  • Moving any code which is not related to the response and requesting out of that model
  • Using Plain Old Ruby Objects or PORO Ruby classes if the logic is of a specific domain and if it does not fit the context of a model
  • Using modules to extract a common functionality from otherwise unrelated functionality

7. CSRF Prevention

Attackers use the cross-site scripting method to steal cookies and modify the sessions. While it does not steal cookies to log in via the user's name, it allows the users to log in to sites vulnerable to CSRF.

Using Ruby on Rails, we can restrict CSRF by authenticity_token in HTML responses. This token can be stored within the user's cookie. However, this authentication token value differs. It is where Rails will recognize the request to decide the process.


Also known as Cross-Origin Resource Sharing, this security mechanism defines the scope of interactivity with the application's API. You can configure CORS by installing rack-cors. The next step is to create a file - cors.rb in the initializer directory and then define which endpoints the website can access.

Security Features to Protect Ruby Applications:

Rails offer several in-built apps to protect against input validation drawbacks and other probable website-based attacks. It provides numerous features for securing password saving features using crypt to hash salted passwords, missed password functionality, user registration and more.

The device is created on top of Warden. Warden provides a solid model for authentication in Rack-based Ruby applications. Warden provides cookie handling, which confirms the identity of a logged-in user via session string. Here the user ID is stored and masked away from public view.

Hence, this one is the perfect method among the many other security best practices with Ruby on Rails.

Also, Read: How to Generate Password Protected PDFs in Ruby on Rails

Final Words

Keeping the codes brief and well-oriented allows every developer to write secure codes in line with Matz's philosophy. It stresses optimizing every development process for the developer instead of the computer.

The security best practices with Ruby on Rails are defined by the community of developers who know efficient ways of coding. Surprisingly, the Rails community is fantastic, a big part of why Ruby developers choose to go with it.

At Solutelabs, we leverage Ruby on Rails development for scalable applications with enhanced code quality for big and small enterprises that look similar.

I hope you found this article helpful!

Top comments (0)