Our last security tasks of the semester is to help our API trust our client Application, and to ask direct the user's browser to help prevent cross-site scripting, code injection, and cross-site resource forgery.
- API: Require signed routes
- At a minimum, all POST requests to API that cannot provide an
auth_tokenmust be signed - Create a
SignedRequestlibrary to verify signed requests using a verify key - Relevant controllers should verify signed requests before passing parsed data to service objects
- At a minimum, all POST requests to API that cannot provide an
- App: Sign critical requests:
- Update your
SecureMessagelibrary to sign messages using a signing key the API has created - Send your signed json requests with separate
dataandsignatureparts
- Update your
- Send security directives to browser:
- Make a security controller file that enables all these settings (e.g.,
/controllers/security.rb) - Move all security related code from
/config/environments.rbto the new security controller - Add secure headers to protect cookies, default browser behaviors, and content security policies
- Add a reporting route that the browser can report CSP violations to
- Make a security controller file that enables all these settings (e.g.,
- Ensure all third party scripts, stylesheets, fonts, and other assets have an integrity hash for browsers to check
- Accounts must be able to create all relevant resources
- Accounts must be able to share resources between each other where appropriate