Results

Security Audit Results

Documentation of our July 16 2025 security audit.

Executive Summary
This document outlines the comprehensive security measures implemented in the ViewExport Rails application. The application has been hardened following industry best practices and OWASP guidelines to ensure data protection, prevent unauthorized access, and maintain system integrity.

1. HTTPS Enforcement & Transport Security

Implementation
  • Gem: secure_headers v7.0
  • Configuration: /config/initializers/secure_headers.rb

Security Controls

Strict Transport Security (HSTS)
  • Max-age: 31,536,000 seconds (1 year)
  • Includes subdomains
  • Preload enabled for browser HSTS preload lists
  • Enforces HTTPS-only communication in production

Audit Evidence
config.hsts = "max-age=31536000; includeSubDomains; preload"
Rails.application.config.force_ssl = true if Rails.env.production?

2. Security Headers

Implementation

All responses include comprehensive security headers to prevent common web vulnerabilities.

Headers Configured

Header Value Purpose
X-Frame-Options DENY Prevents clickjacking attacks
X-Content-Type-Options nosniff Prevents MIME type sniffing
X-XSS-Protection 0 Disabled (using CSP instead)
X-Download-Options noopen Prevents IE from executing downloads
X-Permitted-Cross-Domain-Policies none Restricts Adobe Flash/PDF policies
Referrer-Policy strict-origin-when-cross-origin Controls referrer information
Content Security Policy (CSP)
  • Restricts resource loading to trusted sources only
  • Blocks inline scripts and styles (with specific exceptions)
  • Prevents mixed content
  • Includes violation reporting endpoint

3. Rate Limiting & DDoS Protection


Implementation
  • Gem: rack-attack v6.7
  • Configuration: /config/initializers/rack_attack.rb

Throttling Rules

Endpoint Limit Period Purpose
General requests 300 5 minutes Prevent request flooding
Login attempts (IP) 5 20 seconds Prevent brute force
Login attempts (email) 5 20 seconds Prevent credential stuffing
Password resets 5 1 hour Prevent abuse
Sign-ups 3 15 minutes Prevent spam accounts
API requests 100 1 minute API rate limiting
Export downloads 10 1 hour Prevent data scraping
Additional Protection
  • Blocks suspicious user agents (bots, crawlers, scrapers)
  • Blocks requests with no user agent
  • Safelist for localhost and trusted IPs
  • Custom 429 responses with rate limit headers

4. Session Security


Implementation

Configuration: /config/initializers/session_store.rb

Security Features
  • Secure cookies - HTTPS-only in production
  • HttpOnly flag - Prevents JavaScript access
  • SameSite=Lax - CSRF protection
  • Auto-expiry - Sessions expire after 12 hours
  • Encrypted storage - Rails encrypted cookie store

5. Authentication & Authorization Security


Authentication Monitoring

Configuration: /app/controllers/concerns/security_monitoring.rb

Features
  • Logs all authentication events (login/logout)
  • Tracks failed login attempts by IP
  • Detects brute force patterns
  • Alerts on suspicious activity (5+ failed attempts)

Authorization
  • Uses Pundit for fine-grained access control
  • Logs all authorization failures via MultiTenantErrorHandling concern
  • Multi-tenant isolation via acts_as_tenant

6. Input Validation & Injection Prevention

SQL Injection Protection
  • ActiveRecord parameterized queries (Rails default)
  • Additional query sanitization logging
  • Detection of dangerous SQL patterns (UNION, EXEC, etc.)

XSS Prevention
  • Rails HTML escaping (default)
  • CSP blocking inline scripts
  • Detection and logging of XSS attempts in parameters

CSRF Protection
  • Rails CSRF tokens (enabled by default)
  • SameSite cookies for additional protection

7. API Security


CORS Configuration
  • Gem: rack-cors v2.0
  • Configuration: /config/initializers/cors.rb

Controls
  • Restrictive origin policies
  • Limited to specific endpoints (/api/*, /exports/*)
  • Credentials required
  • Method restrictions per endpoint
  • 1MB JSON payload limit

8. Security Monitoring & Logging

Implementation
  • Module: SecurityMonitoring concern
  • Applied to: All controllers via ApplicationController

Monitored Events
  • Authentication attempts (success/failure)
  • Authorization failures
  • Potential SQL injection attempts
  • Potential XSS attempts
  • Rate limit violations
  • CSP violations

Logging Format
{
  "event": "event_type",
  "severity": "high|medium|low",
  "timestamp": "2025-07-16T16:00:00Z",
  "details": {
    "ip": "127.0.0.1",
    "user_id": 123,
    "path": "/path",
    "params": {}
  }
}

9. Database Security

Configuration

File: /config/initializers/database_security.rb

Security Measures
  • SSL/TLS required for production connections
  • Statement timeout - 30 seconds max query time
  • Secure search path - Restricted to public schema
  • Connection pool security - Regular connection reaping
  • Query logging - Disabled in production

10. Dependency Security

Scanning Tools
  • bundler-audit - Checks for known vulnerabilities
  • brakeman - Static security analysis

Current Status
  • ✅ No known vulnerabilities (as of July 16, 2025)
  • ✅ All dependencies up to date
  • ✅ No security warnings from brakeman
Automated Scanning
bundle exec bundler-audit check --update
bundle exec brakeman -q

11. Content Security Policy Reporting

Implementation
  • Endpoint: POST /csp-report
  • Controller: CspReportsController

Features
  • Receives browser CSP violation reports
  • Logs violations for analysis
  • No authentication required (by design)
  • Rate limited to prevent abuse

12. Additional Security Configurations

Secure Development Practices
  • Environment-specific configurations
  • Secrets stored in Rails credentials (not in code)
  • Development mode relaxations for local testing
  • No sensitive data in logs

Production Hardening
  • HTTPS enforced via multiple mechanisms
  • Secure headers on all responses
  • Database connections encrypted
  • Session data encrypted
  • Comprehensive request throttling

Compliance & Standards

OWASP Top 10 Coverage
  • A01:2021 – Broken Access Control (Pundit, session security)
  • A02:2021 – Cryptographic Failures (HTTPS, encrypted sessions)
  • A03:2021 – Injection (Parameterized queries, input validation)
  • A04:2021 – Insecure Design (Security by design principles)
  • A05:2021 – Security Misconfiguration (Secure defaults)
  • A06:2021 – Vulnerable Components (Dependency scanning)
  • A07:2021 – Authentication Failures (Rate limiting, monitoring)
  • A08:2021 – Software and Data Integrity (CSRF, secure sessions)
  • A09:2021 – Security Logging (Comprehensive monitoring)
  • A10:2021 – SSRF (Input validation, CORS policies)

Testing & Verification

Security Testing Commands
# Check for vulnerable dependencies
bundle exec bundler-audit check --update

# Run static security analysis
bundle exec brakeman

# Test rate limiting
curl -I http://localhost:3000/ -H "User-Agent: bot"

# Verify security headers
curl -I https://yourdomain.com/ | grep -E '^(Strict-Transport-Security|X-Frame-Options|Content-Security-Policy)'

Incident Response

Security Event Detection
  • Real-time monitoring via Rails logs
  • Tagged security events for easy filtering
  • High-severity alerts for immediate attention

Log Locations
  • Application logs: log/production.log
  • Security events: Tagged with [SECURITY]
  • CSP violations: Tagged with [CSP_VIOLATION]

Recommendations for Ongoing Security

1. Regular Updates
  • Run bundle exec bundler-audit weekly
  • Update dependencies monthly
  • Security patches within 24 hours

2. Monitoring
  • Set up alerts for security-tagged log entries
  • Monitor rate limit violations
  • Review CSP violation reports

3. Testing
  • Quarterly penetration testing
  • Annual security audit
  • Continuous dependency scanning

4. Additional Measures
  • Implement WAF (e.g., Cloudflare)
  • Enable 2FA for all admin users
  • Regular security training for developers
What's next?

Start an account now, or get help first?

Get Started Now
Contact Our Human Team

ViewExport is not affiliated with or endorsed by Slack Technologies, Inc. Slack is a trademark of Slack Technologies, Inc., registered in the U.S. and other countries.

Overview
About
    © 2025 ViewExport. All rights reserved.
    Terms of Service
    Privacy Policy