Greg Molnar

6 security improvements in Rails 7

09 May 2022

Rails is one of the most secure framework by default for a long time, but still there is always room for improvement, and the lates version brings a few nice improvements.

Change default X-XSS-Protection header

This header has been deprecated and the XSS auditor should be disabled in older browsers, because it can introduce additional security issues.

Support for a CSP policy with trusted-types

Now you can use this experimental CSP policy to control the data passed to DOM XSS sink functions like Element.innerHTML and lower the attack surface for an XSS.

Raise on redirect_to open redirects

Rails 7 has a new option to raise an exception if redirect_to is called with an untrusted URL. To enable it, set: ActionController::Base.raise_on_open_redirects = true

Tag helpers XSS protection

ActionView::Helpers and ERB::Util are by default escaping now the tag names and the tag attribute in the tag helpers. This is another nice improvement to lower the chance of an XSS vulnerability.

Sensitive attributes filtering from logs

Previously the SQL queries in the logs may have contained passwords and other sensitive information, but from Rails 7, attributes configured at ActiveRecord::Base.filter_attributes are filtered out from the logs

Attribute encryption

Now you can configure your models attributes to be encrypted and Rails will encrypt them before saving it to the database and decrypt it on retrieval.

Did you enjoy reading this? Follow me on Twitter for more content like this!