ruby on rails - RoR security with POST method: where - how occurs the validation - howto optimize? -

-

in forums made experience newbies getting not helpful answers (to describe former experiences nicely) when asking questions things obvious more experienced users. please excuse fear 1 of questions - nevertheless want understand , hope can explain following me in simple words?

how ror behave security perspective - when post used?
in specific:

1. validation occur in belows example
1.1 serverside?
1.2 clientside?
1.3 both?
1.3.1 if both, remaining points should sorted...(right?) 

class article < activerecord::base   validates :title, presence: true,                     length: { minimum: 5 } end

2. if validation occurs on server site:
2.1 couldn´t lead situation uses script "overload" server such invalid requests , keeping server busy wont respond other requests?
2.2 there (an additional) clientside validation performed (or implemented if isn't handled) bypassing clientside validation entering url post strig directly flood server useless requests (traffic, ram,...)?
3. in case validation occurs on client side:
3.1 attacker bypass triggering (guessed) post string browser directly , insert db dont want see there?
3.2 how mitigate that?

i not sure if explain thoughts enough no programmer nor hacker, work related lot business logic , processes question how post behaves , how ror handles keeps brain busy.

your time crafting short answer in simple words appreciated.

the validation in above case happen on server side.

2.1 invalid requests, if trying abuse system flooding invalid requests ( may form posts or otherwise ) might lead denial of service (dos) should consider using tools fail2ban, there many tools handle abusive clients may want google , figure out works best in setup.

2.2 ideally should have client side validation, leads better user experience , using tools , services handle dos or ddos should take care of abusive clients

3.1 have server side validations , db level constraints. data integrity paramount, ideally should perfect condition irrespective of client or framework use.

3.2 server side validations , db constraints maintain data integrity.

these questions , worrying security good.

for dos or ddos attacks can't in code, although these problems have been solved before should lot of information on them, googling them.

for stuff should careful in code, read:

http://guides.rubyonrails.org/security.html

also, http://blog.honeybadger.io/ruby-security-tutorial-and-rails-security-guide/


Comments

Post a Comment

Popular posts from this blog

Java 3D LWJGL collision -

-
i making 3d java game lwjgl library, , wondering how add collision detection, player not go through models. i using obj models. here objloader class, loads models: package renderengine; import java.io.bufferedreader; import java.io.file; import java.io.filenotfoundexception; import java.io.filereader; import java.util.arraylist; import java.util.list; import models.rawmodel; import org.lwjgl.util.vector.vector2f; import org.lwjgl.util.vector.vector3f; public class objloader { public static rawmodel loadobjmodel(string filename, loader loader){ filereader fr = null; try { fr = new filereader(new file("res/"+filename+".obj")); } catch (filenotfoundexception e) { system.err.println("couldn't load file!"); e.printstacktrace(); } bufferedreader reader = new bufferedreader(fr); string line; list<vector3f> vertices = new arraylist<vector3f...
Read more

spring - SubProtocolWebSocketHandler - No handlers -

-
i have ugly error during deploying spring app on jboss. 18:11:16,025 error [org.apache.catalina.core.containerbase.[jboss.web].[default-host].[/consumer]] (msc service thread 1-7) exception sending context initialized event listener instance of class org.springframework.web.context.contextloaderlistener: org.springframework.context.applicationcontextexception: failed start bean 'subprotocolwebsockethandler'; nested exception java.lang.illegalargumentexception: no handlers @ org.springframework.context.support.defaultlifecycleprocessor.dostart(defaultlifecycleprocessor.java:176) [spring-context-4.1.3.release.jar:4.1.3.release] @ org.springframework.context.support.defaultlifecycleprocessor.access$200(defaultlifecycleprocessor.java:51) [spring-context-4.1.3.release.jar:4.1.3.release] @ org.springframework.context.support.defaultlifecycleprocessor$lifecyclegroup.start(defaultlifecycleprocessor.java:346) [spring-context-4.1.3.release.jar:4.1.3.release] @ org.s...
Read more

methods - python can't use function in submodule -

-
my folder structure this: pythonstuff/ program.py modulea/ __init__.py foo.py bar.py here's code bar.py : def hello(): print("hello, world!") here's code program.py : #!/usr/bin/env python3 modulea import bar bar.hello() i run $ python3 program.py somehow error: file "program.py", line 3, in <module> bar.hello() attributeerror: 'module' object has no attribute 'hello' edit: __init__.py file empty. edit2: after trying realized had bar.py in root directory contained hello() method. bar.py in modulea/ directory empty. add it import os __all__ = [] module in os.listdir(os.path.dirname(__file__)): if module != '__init__.py' , module[-3:] == '.py': __all__.append(module[:-3]) the init .py files required make python treat directories containing packages; done prevent directories common name, such string, unintentionally hiding v...
Read more