Securing a rails app, blog comments?

Im only using the h() function when displaying it on the admin zone(so the admin session its valid) but i dont know if thats enough or im

missing something.

  1. Protect against SQL injection by using bind variables in your code.

  2. When you populate your model object from form use attr_protected to prevent malicious users from accessing fields that are not intended for users to populate (like approved, paid field etc)

  3. Always check the id parameter to make sure that id parameter belongs to that user to avoid exposing records that belongs to other users.

  4. Protect all methods that are not supposed to be invoked from the URL by using protected or private key word for those methods.

  5. Don’t run ftp server or echo server on your production machine.

  6. Use https protocol for sensitive data

  7. Don’t cache authenticated pages.