Hi folks, Is there an issue with urls and security? How should I be encoding them? More than just h()? thanks
on 2009-03-25 00:05
on 2009-03-25 00:23
On Tue, Mar 24, 2009 at 6:04 PM, itsastickup <firstname.lastname@example.org> wrote: > Is there an issue with urls and security? How should I be encoding > them? More than just h()? http://guides.rubyonrails.org/security.html -- Greg Donald http://destiney.com/
on 2009-03-25 00:52
I've read hundreds of these guides: they tell you to encode but usually not how in differing circmstances. The rails docs aren't well cross referenced, so they are out also. That's why I am asking in a newsgroup. Do you know the answer?
on 2009-03-25 01:48
itsastickup wrote: > Is there an issue with urls and security? How should I be encoding > them? More than just h()? Firstly h() doesn't encode URLs. Secondly URL encoding is not about security. URL encoding is used to convert characters in a URL to those of the limited set of characters that are valid for URLs. See: http://www.w3schools.com/TAGS/ref_urlencode.asp The Rails security guide posted by Greg contains the information you need to know to secure your Rails application. If you're querying about the security of the transmission of data between the client user agent (browser) and the web server, this is provided by the SSL/TLS protocol. SSL/TLS is common to all web sites and applications that need to protect the transmission of data across the internet, whether they be Rails or static web pages. SSL/TLS is also used to protect against so called "man-in-the-middle" attacks. SSL/TLS (as far as we know) makes it impossible for one web server to "spoof" a legitimate server. The fake site should never be able to acquire a valid certificate for a different domain. Beyond that, there are also be security concerns in the client web browsers themselves. But, that's not really your concern as an application developer. That is unless you're the one trying to hack into client machines though security vulnerabilities in client browsers, but I trust that you're not.
on 2009-03-25 11:06
on 2009-03-25 12:58