SammySteiner
commented
5 months ago @SammySteiner My high level feedback is related to the template nature of this repo. The audience for this document should be engineers who are working on an application based on this template, not engineers working on the template (i.e. us).
I suggest that you re-organize this document into a checklist of best practices that the template is currently doing, a checklist of best practices that the template is not yet doing. For anything that could be added in the future (i.e. not a one-time configuration setting, but something to check again if the application develops), add a note that calls that out.
For example, something like this:
- [x] SSL (
config.force_ssl = true) is enforced in production environments.- [ ] CSRF protection is enabled in production environments.
[ ] Expire sessions after a set amount of time, regardless of activity.
- NOTE: This should be enforced by the auth service, such as by AWS Cognito.
[ ] For all forms accessible by non-authenticated users, configure honeypot fields and logic to thwart bots.
- ONGOING NOTE: Check this anytime a new form is added to the application.
Thanks @rocketnova! This is the guidance I needed to take this doc from personal notes as I was reading through the documentation to something that's useful and digestible for other people.
Ticket
Changes
Added
application-security.mdfile in thedocs/app-railsfolder based on this railsdoc https://guides.rubyonrails.org/v7.1/security.html.Context for reviewers