Product SiteDocumentation Site

Fedora Security Team

Secure Ruby Development Guide

Guide to secure software development in Ruby

Edition 1

Ján Rusnačko

Red Hat, Inc. Product Security Team

Legal Notice

Copyright © 2014 Ján Rusnačko.
The text of and illustrations in this document are licensed by Red Hat under a Creative Commons Attribution–Share Alike 3.0 Unported license ("CC-BY-SA"). An explanation of CC-BY-SA is available at The original authors of this document, and Red Hat, designate the Fedora Project as the "Attribution Party" for purposes of CC-BY-SA. In accordance with CC-BY-SA, if you distribute this document or an adaptation of it, you must provide the URL for the original version.
Red Hat, as the licensor of this document, waives the right to enforce, and agrees not to assert, Section 4d of CC-BY-SA to the fullest extent permitted by applicable law.
Red Hat, Red Hat Enterprise Linux, the Shadowman logo, JBoss, MetaMatrix, Fedora, the Infinity Logo, and RHCE are trademarks of Red Hat, Inc., registered in the United States and other countries.
For guidelines on the permitted uses of the Fedora trademarks, refer to
Linux® is the registered trademark of Linus Torvalds in the United States and other countries.
Java® is a registered trademark of Oracle and/or its affiliates.
XFS® is a trademark of Silicon Graphics International Corp. or its subsidiaries in the United States and/or other countries.
MySQL® is a registered trademark of MySQL AB in the United States, the European Union and other countries.
All other trademarks are the property of their respective owners.
This guide covers security aspects of software development in Ruby.

1. Environment
1.1. Code quality metrics
1.2. Dependency management
1.2.1. Outdated Dependencies
1.2.2. Vendoring dependencies
1.2.3. Gem signing
1.3. Static code analysis with Brakeman
1.3.1. Continuous integration
1.3.2. Reducing number of false warnings
2. Language features
2.1. Tainting and restricted code execution
2.1.1. Object.tainted?
2.1.2. Object.untrusted?
2.1.3. $SAFE
2.2. Dangerous methods
2.3. Symbols
2.4. Serialization in Ruby
2.4.1. Marshal.load
2.4.2. YAML.load
2.4.3. JSON.parse and JSON.load
2.4.4. Exploiting deserialization vulnerabilities
2.5. Regular expressions
2.6. Object.send
2.7. SSL in Ruby
2.7.1. Certificate store
2.7.2. Ruby libraries using OpenSSL
3. Web Application Security
3.1. Common attacks and mitigations
3.1.1. Command injection
3.1.2. Cross site scripting (XSS)
3.1.3. Cross site request forgery (CSRF)
3.1.4. Guidelines and principles
3.2. Client-side security
3.2.1. Same origin policy
3.2.2. Bypassing same origin policy
3.2.3. Content Security Policy (CSP)
3.2.4. HTTP Strict Transport Security
3.2.5. X-XSS-Protection
3.2.6. X-Frame-Options
3.2.7. X-Content-Type-Options
3.2.8. Configuring Rails
3.2.9. Guidelines and recommendations
3.3. Application server configuration and hardening
3.3.1. Logging
A. Revision History