Authentication is a special part of web applications. On the one hand, it usually is a crucial security mechanism restrict access to certain people and roles. On the other hand, most users authenticate only once, so it is very unlikely to spot issues by accident.

Growing Rails Applications in Practice

Check out our e-book. Learn to structure large Ruby on Rails codebases with the tools you already know and love.

• Introduce design conventions for controllers and user-facing models
• Create a system for growth
• Build applications to last

Read more Show archive.org snapshot

So, here comes a quick checklist to help you verifying your authentication solution is all set.

• This should be default: use HTTPS with HSTS. The HSTS part is important.
• Use a reliable authentication solution, e.g. Clearance Show archive.org snapshot or Devise Show archive.org snapshot . Don't roll your own (see bottom).
  • Make sure you don't accidentally offer a sign-up for an internal application. Check rake routes.

Reviewing authentication in a legacy app?

There are a lot of footguns with authentication when an app is old or has homegrown crypto. See our guide for fixing authentication in legacy apps