What are the best practices to secure a Sinatra application that uses many different forms and mongodb as a database?
使用多种不同的表单和mongodb作为数据库的Sinatra应用程序的安全最佳实践是什么?
2 个解决方案
#1
12
Not sure what you are looking for. Here are a few thoughts.
不确定你在寻找什么。这里有一些想法。
If you want to validate users of your system, I suggest using authentication that operates at the Rack layer, like Warden. Not only is this likely more robust than a custom authentication solution would be, it operates as middleware so its mostly transparent and can be used outside of Sinatra should you decide to add additional middleware, custom Rack applications, or Rails to your Rack stack.
如果您想要验证您的系统的用户,我建议使用在机架层操作的身份验证,比如Warden。这不仅可能比自定义身份验证解决方案更健壮,而且它作为中间件进行操作,因此,如果您决定向您的机架堆栈中添加额外的中间件、自定义机架应用程序或Rails,则可以在Sinatra之外使用它。
The way mongodb operates, where commands are separated from the data, means injections are unlikely so some minimal sanity checking of user inputs should make the risk of database compromises pretty low. As with any database its good practice to never directly put any data into your database from a user without proper bounds checking and escaping.
mongodb的操作方式(命令与数据分离)意味着不太可能进行注入,因此对用户输入进行最小程度的完整性检查应该会降低数据库折衷的风险。与任何数据库一样,它的良好实践永远不会直接将任何数据从用户直接放到数据库中,而不需要进行适当的边界检查和转义。
Make sure users can't input HTML/JS/CSS that can be seen by other users, otherwise your site will likely be vulnerable to XSS.
确保用户不能输入其他用户可以看到的HTML/JS/CSS,否则您的站点很可能会受到XSS的攻击。
When possible clearly define all of the possible inputs a user is allowed to choose from, then make sure the input you receive from users matches EXACTLY one of the possible values you defined. If not either reject the input or pick a sane default value.
在可能的情况下,清楚地定义允许用户选择的所有可能的输入,然后确保从用户接收到的输入与您定义的一个可能的值完全匹配。如果没有拒绝输入或选择一个正常的默认值。
Good unit testing and broad test coverage can often help reduce unexpected behavior which can sometimes be used to help prevent security problems. Try that out. Certainly couldn't hurt.
良好的单元测试和广泛的测试覆盖常常有助于减少意外行为,这些行为有时可以用于防止安全问题。试一试。当然不能伤害。
Another good practice which can peripherally benefit security is to not reinvent the wheel. Go with hardened, proven, functioning solutions the rest of the community depends on so you can benefit from the insights of others and reap the rewards when someone else finds and fixes a security flaw in a library you use.
另一种有益安全的好做法是不要重新发明*。使用社区其他部分依赖的经过验证的、有效的解决方案,这样您就可以从其他人的见解中获益,并在其他人发现并修复您使用的库中的安全缺陷时获得回报。
There are many other system, database, and application level concerns you may need to address to ensure your application is secure. The scope of your question is a bit too broad to answer without intimate knowledge of your complete system architecture.
为了确保应用程序的安全性,您可能需要处理许多其他系统、数据库和应用程序级别的问题。您的问题的范围太广了,如果不了解完整的系统体系结构,就无法回答。
#2
1
Forms
If you have forms you should definitely use an authenticity token in order to avoid cross site request forgeries. Check out rack_csrf gem for Sinatra.
如果您有表单,您一定要使用真实性令牌,以避免跨站点请求伪造。看看rack_csrf宝石为Sinatra。
Cookies / Sessions
If you have have sessions enabled, since Sinatra implements cookie-based sessions you should check encrypted_cookie gem as a mean to encrypt Sinatra’s sessions using 256-bit AES algorithm.
如果您已经启用了会话,那么由于Sinatra实现了基于cookie的会话,那么您应该检查encrypted_cookie gem,以使用256位AES算法对Sinatra的会话进行加密。
Last but not least always use HTTPS
最后但并非最不重要的总是使用HTTPS
Read this blog post for a well-rounded explanation.
请阅读这篇博文,获得全面的解释。
#1
12
Not sure what you are looking for. Here are a few thoughts.
不确定你在寻找什么。这里有一些想法。
If you want to validate users of your system, I suggest using authentication that operates at the Rack layer, like Warden. Not only is this likely more robust than a custom authentication solution would be, it operates as middleware so its mostly transparent and can be used outside of Sinatra should you decide to add additional middleware, custom Rack applications, or Rails to your Rack stack.
如果您想要验证您的系统的用户,我建议使用在机架层操作的身份验证,比如Warden。这不仅可能比自定义身份验证解决方案更健壮,而且它作为中间件进行操作,因此,如果您决定向您的机架堆栈中添加额外的中间件、自定义机架应用程序或Rails,则可以在Sinatra之外使用它。
The way mongodb operates, where commands are separated from the data, means injections are unlikely so some minimal sanity checking of user inputs should make the risk of database compromises pretty low. As with any database its good practice to never directly put any data into your database from a user without proper bounds checking and escaping.
mongodb的操作方式(命令与数据分离)意味着不太可能进行注入,因此对用户输入进行最小程度的完整性检查应该会降低数据库折衷的风险。与任何数据库一样,它的良好实践永远不会直接将任何数据从用户直接放到数据库中,而不需要进行适当的边界检查和转义。
Make sure users can't input HTML/JS/CSS that can be seen by other users, otherwise your site will likely be vulnerable to XSS.
确保用户不能输入其他用户可以看到的HTML/JS/CSS,否则您的站点很可能会受到XSS的攻击。
When possible clearly define all of the possible inputs a user is allowed to choose from, then make sure the input you receive from users matches EXACTLY one of the possible values you defined. If not either reject the input or pick a sane default value.
在可能的情况下,清楚地定义允许用户选择的所有可能的输入,然后确保从用户接收到的输入与您定义的一个可能的值完全匹配。如果没有拒绝输入或选择一个正常的默认值。
Good unit testing and broad test coverage can often help reduce unexpected behavior which can sometimes be used to help prevent security problems. Try that out. Certainly couldn't hurt.
良好的单元测试和广泛的测试覆盖常常有助于减少意外行为,这些行为有时可以用于防止安全问题。试一试。当然不能伤害。
Another good practice which can peripherally benefit security is to not reinvent the wheel. Go with hardened, proven, functioning solutions the rest of the community depends on so you can benefit from the insights of others and reap the rewards when someone else finds and fixes a security flaw in a library you use.
另一种有益安全的好做法是不要重新发明*。使用社区其他部分依赖的经过验证的、有效的解决方案,这样您就可以从其他人的见解中获益,并在其他人发现并修复您使用的库中的安全缺陷时获得回报。
There are many other system, database, and application level concerns you may need to address to ensure your application is secure. The scope of your question is a bit too broad to answer without intimate knowledge of your complete system architecture.
为了确保应用程序的安全性,您可能需要处理许多其他系统、数据库和应用程序级别的问题。您的问题的范围太广了,如果不了解完整的系统体系结构,就无法回答。
#2
1
Forms
If you have forms you should definitely use an authenticity token in order to avoid cross site request forgeries. Check out rack_csrf gem for Sinatra.
如果您有表单,您一定要使用真实性令牌,以避免跨站点请求伪造。看看rack_csrf宝石为Sinatra。
Cookies / Sessions
If you have have sessions enabled, since Sinatra implements cookie-based sessions you should check encrypted_cookie gem as a mean to encrypt Sinatra’s sessions using 256-bit AES algorithm.
如果您已经启用了会话,那么由于Sinatra实现了基于cookie的会话,那么您应该检查encrypted_cookie gem,以使用256位AES算法对Sinatra的会话进行加密。
Last but not least always use HTTPS
最后但并非最不重要的总是使用HTTPS
Read this blog post for a well-rounded explanation.
请阅读这篇博文,获得全面的解释。