Skip to content

Security hardening based on penetration test findings#20

Open
umairnow wants to merge 1 commit intoquran:masterfrom
umairnow:security/pentest-remediation-fixes
Open

Security hardening based on penetration test findings#20
umairnow wants to merge 1 commit intoquran:masterfrom
umairnow:security/pentest-remediation-fixes

Conversation

@umairnow
Copy link

@umairnow umairnow commented Mar 12, 2026

  • Remove committed secrets: replace .env.development and config/secrets.yml with example templates containing placeholders, not real credentials
  • Update .gitignore to exclude .env*, config/secrets.yml, config/database.yml
  • Create .dockerignore to prevent secrets from being copied into Docker images
  • Enable config.force_ssl in production for HTTPS enforcement
  • Secure session cookie with httponly, secure, and same_site flags
  • Add security headers initializer (CSP, X-Content-Type-Options, X-Frame-Options, X-XSS-Protection, Referrer-Policy, Permissions-Policy)
  • Add rack-cors gem with explicit origin allowlist (replaces wildcard CORS)
  • Add rack-attack gem with rate limiting for API, login, registration, and password reset endpoints
  • Harden devise_token_auth: enable check_current_password_before_update, set explicit token_lifespan (2 weeks), limit max_number_of_devices to 5
  • Expand filter_parameter_logging to cover tokens, secrets, OAuth fields
  • Remove excessive user_location scope from OmniAuth Facebook configuration
  • Fix bookmark model uniqueness validation to scope per-user (was global)
  • Harden Dockerfile: chown entire app dir to app user, add .dockerignore
  • Harden nginx config: server_tokens off, passenger_show_version_in_header off, add security headers at nginx level
  • Add bundler-audit gem for dependency vulnerability scanning
  • Add .pre-commit-config.yaml with detect-secrets and detect-private-key hooks
  • Add SECURITY.md with responsible disclosure policy

@umair-bidbax
Security hardening based on penetration test findings
7c44190 
- Remove committed secrets: replace .env.development and config/secrets.yml
  with example templates containing placeholders, not real credentials
- Update .gitignore to exclude .env*, config/secrets.yml, config/database.yml
- Create .dockerignore to prevent secrets from being copied into Docker images
- Enable config.force_ssl in production for HTTPS enforcement
- Secure session cookie with httponly, secure, and same_site flags
- Add security headers initializer (CSP, X-Content-Type-Options, X-Frame-Options,
  X-XSS-Protection, Referrer-Policy, Permissions-Policy)
- Add rack-cors gem with explicit origin allowlist (replaces wildcard CORS)
- Add rack-attack gem with rate limiting for API, login, registration, and
  password reset endpoints
- Harden devise_token_auth: enable check_current_password_before_update,
  set explicit token_lifespan (2 weeks), limit max_number_of_devices to 5
- Expand filter_parameter_logging to cover tokens, secrets, OAuth fields
- Remove excessive user_location scope from OmniAuth Facebook configuration
- Fix bookmark model uniqueness validation to scope per-user (was global)
- Harden Dockerfile: chown entire app dir to app user, add .dockerignore
- Harden nginx config: server_tokens off, passenger_show_version_in_header off,
  add security headers at nginx level
- Add bundler-audit gem for dependency vulnerability scanning
- Add .pre-commit-config.yaml with detect-secrets and detect-private-key hooks
- Add SECURITY.md with responsible disclosure policy
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

No reviews

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

2 participants

@umairnow @umair-bidbax