Authentication is a special part of web applications. On the one hand, it usually is a crucial security mechanism restrict access to certain people and roles. On the other hand, most users authenticate only once, so it is very unlikely to spot issues by accident.
So, here comes a quick checklist to help you verifying your authentication solution is all set.
- This should be default: use HTTPS with HSTS. The HSTS part is important.
- Use a reliable authentication solution, e.g.
Clearance
Show archive.org snapshot
or
Devise
Show archive.org snapshot
. Don't roll your own (see bottom).
- Make sure you don't accidentally offer a sign-up for an internal application. Check
rake routes.
- Make sure you don't accidentally offer a sign-up for an internal application. Check
Reviewing authentication in a legacy app?
There are a lot of footguns with authentication when an app is old or has homegrown crypto. See our guide for fixing authentication in legacy apps
Posted by Dominik Schöler to makandra dev (2018-05-22 08:49)