Ruby on Rails API Security

Question

For a recent project a friend of mine and I have been working on, we want to build a RESTful web API for client application usage. I believe that I have a fairly good grasp of the top-down picture after reading this, but am fairly clueless when it comes to security issues.

I know of OAuth and plan on implementing it, but are there any other concerns we should address first thing? I would hate to spend a large amount of time developing these features to find out later that we've left the site open for malicious attack.

Thanks.

score 3 · Accepted Answer · answered Aug 19 '10 at 20:13

3

If you are looking for general information on Web security, check out OWASP Ruby on Rails Security Guide V.2. (There's also a first edition which I read back in the day.) Check out OWASP's web site for more security related information.

answered Aug 19 '10 at 20:13

Eric Bronnimann

941
7
8

Very good resource. I waited to read it all before I accepted, but this answers pretty much all concerns I had. – Chuck Callebs Aug 22 '10 at 23:20

score 1 · Answer 2 · answered Apr 10 '13 at 14:48

A few more resources for you:

Great walkthrough of common web attacks and how to deal with them in rails https://www.honeybadger.io/blog/guides/2013/03/09/ruby-security-tutorial-and-rails-security-guide

Rails insecure defaults http://blog.codeclimate.com/blog/2013/03/27/rails-insecure-defaults

All about sql injection, goes beyond the simple examples http://rails-sqli.org

New security issues are listed at

Ruby on Rails API Security

2 Answers2