Ruby on Railsframework~30 mins

Security best practices in Ruby on Rails - Mini Project: Build & Apply

Choose your learning style9 modes available

Learn Why Deep Visual Try Challenge Project Recall Perf

Security Best Practices in Rails

📖 Scenario: You are building a simple Rails web application that handles user sign-up and login. To keep users safe, you need to apply security best practices in your Rails code.

🎯 Goal: Learn how to implement basic security best practices in a Rails app, including strong parameters, password hashing, and protection against common attacks.

📋 What You'll Learn

Use strong parameters to whitelist user input

Use has_secure_password for password hashing

Add CSRF protection in the controller

Sanitize user input before displaying

💡 Why This Matters

🌍 Real World

Web applications must protect user data and prevent attacks like CSRF, injection, and password theft. These practices keep users safe and build trust.

💼 Career

Rails developers are expected to know how to secure apps by using built-in features like strong parameters, password hashing, and CSRF protection.

Progress0 / 4 steps

Set up User model with secure password

Create a Rails model called User with attributes email:string and password_digest:string. Add has_secure_password to enable password hashing.

Ruby on Rails

# Create User model with email and password_digest
# Add has_secure_password inside the model

Need a hint?

The has_secure_password method adds password hashing and authentication features.

Add strong parameters in UsersController

In UsersController, create a private method called user_params that uses params.require(:user).permit(:email, :password, :password_confirmation) to whitelist user input.

Ruby on Rails

class User < ApplicationRecord
  has_secure_password
end

class UsersController < ApplicationController
  # Add user_params method here
end

Need a hint?

Strong parameters help prevent unwanted data from being saved.

Enable CSRF protection in ApplicationController

In ApplicationController, add protect_from_forgery with: :exception to enable CSRF protection.

Ruby on Rails

class ApplicationController < ActionController::Base
  # Add CSRF protection here
end

Need a hint?

This line helps protect your app from cross-site request forgery attacks.

Sanitize user input before displaying

In a view file, use the Rails helper sanitize() to safely display user input stored in @user.email.

Ruby on Rails

Need a hint?

Sanitize removes harmful HTML or scripts from user input before showing it.