devise-security
Rack::Attack
Our great sponsors
devise-security | Rack::Attack | |
---|---|---|
4 | 13 | |
560 | 5,467 | |
1.4% | 0.5% | |
6.6 | 7.1 | |
about 1 month ago | 19 days ago | |
Ruby | Ruby | |
MIT License | MIT License |
Stars - the number of stars that a project has on GitHub. Growth - month over month growth in stars.
Activity is a relative number indicating how actively a project is being developed. Recent commits have higher weight than older ones.
For example, an activity of 9.0 indicates that a project is amongst the top 10% of the most actively developed projects that we are tracking.
devise-security
- Beware - Devise 4.9.1 and devise-security gem
-
Best authentication in 2022? Devise, Clearance, OAuth, anything else?
Rodauth is IMO the most feature-complete and the most stable. It ships with "enterprise"-grade features such as single session, session expiration, password expiration, password complexity requirements, disallowing common passwords, and disallowing password reuse (basically what devise-security extension provides).
-
Rails application boilerplate for fast MVP development
add devise-security
-
Devise only allow one session per user at the same time
An alternative implementation.... https://github.com/devise-security/devise-security/blob/master/lib/devise-security/models/session_limitable.rb
Rack::Attack
-
Rails Authentication for Compliance
The first line of defense should be to put rate-limiting on your login endpoints. rack-attack can help with that. I recommend to limit the login attempts to 5 per minute for a username and block the IP for 30 minutes. You should also limit the number of login attempts from the same IP address, but this needs to be adjusted to the application you are working on, because if it is a tool used in classrooms, it might be legit to have 50 logins within a few minutes from the same IP. (I have a few post written about rack-attack)
-
4 Essential Security Tools To Level Up Your Rails Security
Rack::Attack
- Huginn’s IP keeps getting blocked by Kickstarter
-
10 things I add to every Rails app
The final gem I like to include in all projects is rack-attack. This is a rate limiting tool which is great for throttling dangerous actions in your app to prevent bot attacks or other malicious users.
-
Rails application boilerplate for fast MVP development
rack-attack to prevent bruteforce and DDoS attacks
-
What is happening once you launch and open a Rails app to the real, wild web
https://github.com/rack/rack-attack#fail2ban
It's entirely normal and expected. If your site gets any traction, volume and sophistication of probing will only increase. I recommend starting by setting up Rack Attack (https://github.com/rack/rack-attack), that will help you block the bad actors for awhile, if the volume gets high enough you'll want to start blocking traffic upstream in reverse proxy or load balancing layer, depending on architecture.
What are some alternatives?
Metasploit - Metasploit Framework
Rack::Protection - NOTE: This project has been merged upstream to sinatra/sinatra
rspec-rails - RSpec for Rails 6+
Rack::UTF8Sanitizer - Rack::UTF8Sanitizer is a Rack middleware which cleans up invalid UTF8 characters in request URI and headers.
BeEF - The Browser Exploitation Framework Project
rack-throttle - Rack middleware for rate-limiting incoming HTTP requests.
Gitrob - Reconnaissance tool for GitHub organizations
Brakeman - A static analysis security vulnerability scanner for Ruby on Rails applications
Devise - Flexible authentication solution for Rails with Warden.
SecureHeaders - Manages application of security headers with many safe defaults
view_component - A framework for building reusable, testable & encapsulated view components in Ruby on Rails.
Pundit - Minimal authorization through OO design and pure Ruby classes