| name | rails-security |
| description | Specialized skill for Rails security, authorization, and data protection. Use when implementing Pundit policies, Lockbox encryption, Blind Index searches, authentication, secure configuration, or fixing security vulnerabilities. Includes security best practices and common pitfall prevention. |
Rails Security & Data Protection
Comprehensive security implementation with Lockbox, Blind Index, and Pundit.
When to Use This Skill
- Implementing authorization with Pundit policies
- Encrypting sensitive data with Lockbox
- Adding searchable encryption with Blind Index
- Configuring authentication (Devise)
- Setting up secure credentials and secrets
- Implementing two-factor authentication
- Fixing security vulnerabilities
- Setting up HTTPS, CORS, CSP
- Preventing common attacks (XSS, CSRF, SQL injection)
Core Security Stack
gem "lockbox"
gem "blind_index"
gem "pundit"
gem "devise"
gem "brakeman"
gem "bundler-audit"
Encryption at Rest (Lockbox)
Setup
$ rails lockbox:install
Encrypting Model Fields
class User < ApplicationRecord
has_encrypted :email, :ssn, :phone, :credit_card_number
end
Migration
class AddEncryptedFieldsToUsers < ActiveRecord::Migration[7.1]
def change
add_column :users, :email_ciphertext, :text
add_column :users, :ssn_ciphertext, :text
add_column :users, :phone_ciphertext, :text
end
end
Usage
user = User.create!(email: "user@example.com")
user.email
user.email_ciphertext
Searchable Encryption (Blind Index)
Setup
class User < ApplicationRecord
has_encrypted :email, :phone
blind_index :email
blind_index :phone
end
Migration
class AddBlindIndexesToUsers < ActiveRecord::Migration[7.1]
def change
add_column :users, :email_bidx, :string
add_column :users, :phone_bidx, :string
add_index :users, :email_bidx, unique: true
add_index :users, :phone_bidx
end
end
Searching Encrypted Fields
user = User.find_by(email: "user@example.com")
users = User.where(email: "user@example.com")
User.where("email LIKE ?", "%partial%")
User.where("email > ?", "a@a.com")
Authorization (Pundit)
Setup
class ApplicationController < ActionController::Base
include Pundit::Authorization
rescue_from Pundit::NotAuthorizedError, with: :user_not_authorized
private
def user_not_authorized
flash[:alert] = "You are not authorized to perform this action."
redirect_to(request.referrer || root_path)
end
end
Policy Example
class ArticlePolicy < ApplicationPolicy
def index?
true
end
def show?
record.published? || user_is_author?
end
def create?
user.present?
end
def update?
user_is_author? || user&.admin?
end
def destroy?
user_is_author? || user&.admin?
end
class Scope < Scope
def resolve
if user&.admin?
scope.all
elsif user
scope.where(published: true).or(scope.where(user: user))
else
scope.where(published: true)
end
end
end
private
def user_is_author?
user && record.user == user
end
end
Using in Controllers
class ArticlesController < ApplicationController
def index
@articles = policy_scope(Article)
end
def show
@article = Article.find(params[:id])
authorize @article
end
def update
@article = Article.find(params[:id])
authorize @article
if @article.update(article_params)
redirect_to @article
else
render :edit
end
end
end
Using in Views
<% if policy(@article).update? %>
<%= link_to "Edit", edit_article_path(@article) %>
<% end %>
<% if policy(@article).destroy? %>
<%= button_to "Delete", article_path(@article), method: :delete %>
<% end %>
Authentication (Devise)
Strong Configuration
Devise.setup do |config|
config.password_length = 12..128
config.paranoid = true
config.lock_strategy = :failed_attempts
config.maximum_attempts = 5
config.unlock_strategy = :time
config.unlock_in = 1.hour
config.timeout_in = 30.minutes
end
Secure Configuration
Never Commit Secrets
/.env
/config/master.key
/config/credentials/*.key
Use Rails Credentials
$ EDITOR=vim rails credentials:edit
aws:
access_key_id: YOUR_KEY
secret_access_key: YOUR_SECRET
Rails.application.credentials.aws[:access_key_id]
HTTPS Enforcement
config.force_ssl = true
Common Security Pitfalls
1. Mass Assignment
def create
User.create(params[:user])
end
def create
User.create(user_params)
end
private
def user_params
params.require(:user).permit(:name, :email, :password)
end
2. SQL Injection
User.where("name = '#{params[:name]}'")
User.where("name = ?", params[:name])
User.where(name: params[:name])
3. XSS (Cross-Site Scripting)
<%# VULNERABLE %>
<%= raw @article.body %>
<%= @article.body.html_safe %>
<%# SAFE - Escape by default %>
<%= @article.body %>
<%# Or sanitize allowed HTML %>
<%= sanitize @article.body, tags: %w[p br strong em] %>
4. Insecure Direct Object References
def show
@article = Article.find(params[:id])
end
def show
@article = Article.find(params[:id])
authorize @article
end
def show
@article = current_user.articles.find(params[:id])
end
5. Timing Attacks
def valid_api_key?(provided_key)
provided_key == stored_key
end
def valid_api_key?(provided_key)
ActiveSupport::SecurityUtils.secure_compare(provided_key, stored_key)
end
Security Checklist
Before deploying:
- โ All secrets in credentials, not code
- โ SSL/HTTPS enforced in production
- โ Strong password requirements
- โ CSRF protection enabled
- โ Mass assignment protected (strong params)
- โ Authorization checks on all actions
- โ Sensitive data encrypted (Lockbox)
- โ Brakeman scan passes
- โ bundler-audit passes
- โ Input validation on all user data
- โ Output escaping by default
Running Security Scans
bundle exec brakeman --no-pager
bundle exec bundle-audit check --update
Reference Documentation
For comprehensive security patterns:
- Security guide:
security.md (detailed examples and advanced patterns)
