Insecure SSL Setting in Rails Application

Description

The Rails application has an insecure SSL setting, which can lead to improper certificate validation and make the application vulnerable to man-in-the-middle attacks.

Examples

Insecure Code

ruby

Rails.application.configure do
  config.force_ssl = false
end

Secure Code

ruby

Rails.application.configure do
  config.force_ssl = true
  config.ssl_options = { secure_cookies: true, hsts: { subdomains: true } }
end

Remediation

Enable SSL and set secure cookies and HSTS to true. For example, add the following configuration to the Rails application: config.force_ssl = true, config.ssl_options = { secure_cookies: true, hsts: { subdomains: true } }

Rule Details

Field	Value
ID	CODE-0639
Category	InsecureConfig
Severity	HIGH
CWE	CWE-295
Confidence	HIGH
Impact	HIGH
Likelihood	HIGH
Exploitability	EASY
Tags	ssl, tls, certificate validation
OWASP	N/A

References

https://api.rubyonrails.org/v7.1.3.4/classes/ActionDispatch/SSL.html

Overview

SAST (Application Security)

SCA (Dependencies)

Secrets Detection

IaC Security

License Compliance

SAST Rules

IaC Rules

License Rules

Insecure SSL Setting in Rails Application

Description

Examples

Insecure Code

Secure Code

Remediation

Rule Details

References

SAST Rules

IaC Rules

License Rules

Insecure SSL Setting in Rails Application ​

Description ​

Examples ​

Insecure Code ​

Secure Code ​

Remediation ​

Rule Details ​

References ​

Insecure SSL Setting in Rails Application

Description

Examples

Insecure Code

Secure Code

Remediation

Rule Details

References