Skip to content

Security Questionaires

Jump to bottom Edit New page
Stephen Reid edited this page Jul 21, 2017 · 1 revision

Some customers, large and small have a security questionnaire that they ask about your security practices. Please contribute as you get these questions.

  1. What is the name of the framework that generates your Session IDs?
    • Ruby on Rails / Devise
  2. Do sessions automatically time out after a specified period of inactivity?
    • Yes
  3. How long is the session timeout?
    • Configured in session_store.rb
  4. Does the application use a secure cryptographic psuedo random number generator?
    • Yes
  5. The HttpOnly setting is set for authentication cookies
    • Yes (by default, overridable in session_store.rb (and N/A if using soley session store)
    • No (if you have turned this off)
  6. Session cookies are marked secure
    • Yes
  7. HSTS Security
    • No (unless implemented in headers/nginx) (Http redirecting to HTTPS via ForceSSl type gems do not count)
  8. Session Ids Can be Constructed in many ways, select the methods used in your application
    • Framework has built in session ID mechanism
    • Our session IDs are randomly generated strings or numbers
    • We store a signed token as a cookie to indicate that the user is successfully logged in

Getting Started

MIT License. Copyright 2009-2020 Plataformatec. http://plataformatec.com.br

Add a custom sidebar
Clone this wiki locally