You should use protection!
This gem protects against typical web attacks. Should work for all Rack apps, including Rails.
Use all protections you probably want to use:
# config.ru
require 'rack/protection'
use Rack::Protection
run MyApp
Skip a single protection middleware:
# config.ru
require 'rack/protection'
use Rack::Protection, :except => :path_traversal
run MyApp
Use a single protection middleware:
# config.ru
require 'rack/protection'
use Rack::Protection::AuthenticityToken
run MyApp
Prevented by:
Rack::Protection::AuthenticityToken
(not included byuse Rack::Protection
)Rack::Protection::FormToken
(not included byuse Rack::Protection
)Rack::Protection::JsonCsrf
Rack::Protection::RemoteReferrer
(not included byuse Rack::Protection
)Rack::Protection::RemoteToken
Prevented by:
Rack::Protection::EscapedParams
Rack::Protection::XssHeader
(Internet Explorer only)
Prevented by:
Rack::Protection::FrameOptions
Prevented by:
Rack::Protection::PathTraversal
Prevented by:
Rack::Protection::SessionHijacking
Prevented by:
Rack::Protection::IPSpoofing
gem install rack-protection