Ruby on Rails Source Code Security/Obfuscation

Ruby on Rails source code security / obfuscation

Similar to Matt Briggs's point is that if you don't trust your web host, you're addressing the wrong problem.If your web host wants to steal your data, cripple your website, redirect your users, etc., nothing can stop them. Even if the code is fully compiled binary code written in assembler, your admin could still find a hack, replace resources, or replace your code altogether. Moral of the story, find a web host you trust, don't bother obfuscating your code

Encoding Ruby on Rails code?

Maybe you could host the application yourself.

This way nobody will have ever access to your code and you're clients will use the application everywhere via Internet and also will pay you for the support.

In order to host rails application the easiest way you could try http://heroku.com/ or even set a small VPS with apache and mod_passenger.

How to hide Ruby generated JavaScript code in a separate file?

So we didn't find any way to fully hide the Javascript. What we did end up doing was juggling a rather unfortunate number of variables and method stubs created via ruby and passed to more static javscript located in a separate file which gets minified. Not the most elegant of solutions but if you can follow the stub trail then I applaud you.

Is it secure to store passwords as environment variables (rather than as plain text) in config files?

On a more theoretical level, I tend to think about levels for security in the following ways (in order of increasing strength) :

  • No security. Plain text. Anyone that knows where to look, can access the data.
  • Security by Obfuscation. You store the data (plaintext) someplace tricky, like an environment variable, or in a file that is meant to look like a configuration file. An attacker will eventually figure out what's going on, or stumble across it.
  • Security provided by encryption that is trivial to break, (think caesar cipher!).
  • Security provided by encryption that can be broken with some effort.
  • Security provided by encryption that is impractical to break given current hardware.
  • The most secure system is one that nobody can use! :)

Environment variables are more secure than plaintext files, because they are volatile/disposable, not saved;
i.e. if you set only a local environment variable, like "set pwd=whatever," and then run the script,
with something that exits your command shell at the end of the script, then the variable no longer exists.
Your case falls into the first two, which I'd say is fairly insecure. If you were going to do this, I wouldn't recommend deploying outside your immediate intranet/home network, and then only for testing purposes.


Related Topics

Use Older Version of Rake

Can You Install Documentation for Existing Gems

Why No Race Condition in Ruby

Ruby and Accdb (Ms Access)

How to Make Like Clause Case-Insensitive

Ruby: Array Contained in Array, Any Order

How to Correctly Install Rvm in Docker

Problem Using Openstruct with Erb

How to Specify the Location of the Chromedriver Binary

Rails: Methods Shared by Multiple Controllers

Rails Server Cannot Start; Getaddrinfo: Nodename Nor Servname Provided, or Not Known (Socketerror)

How to Strip Leading and Trailing Quote from String, in Ruby

Ruby Inside JavaScript Block [Slim Template]

How to Reset a Factory_Girl Sequence

Set VS Array , Difference

Why Does .All? Return True on an Empty Array

Import SASS File from Database Instead of Filesystem

Ruby/Pgsql Error on Rails Start:Cannot Load Such File -- Pg_Ext (Loaderror)


Leave a reply



Submit