Legal

Security Audit Results

Documentation of our July 16 2025 security audit.

Last updated: July 16, 2025

Executive Summary

This document outlines the comprehensive security measures implemented in the ViewExport Rails application. The application has been hardened following industry best practices and OWASP guidelines to ensure data protection, prevent unauthorized access, and maintain system integrity.

1. HTTPS Enforcement & Transport Security

Implementation
  • Gem: secure_headers v7.0
  • Configuration: /config/initializers/secure_headers.rb

Security Controls

Strict Transport Security (HSTS)
  • Max-age: 31,536,000 seconds (1 year)
  • Includes subdomains
  • Preload enabled for browser HSTS preload lists
  • Enforces HTTPS-only communication in production
Audit Evidence
config.hsts = "max-age=31536000; includeSubDomains; preload"
Rails.application.config.force_ssl = true if Rails.env.production?

2. Security Headers

Implementation

All responses include comprehensive security headers to prevent common web vulnerabilities.

Headers Configured

HeaderValuePurpose
X-Frame-OptionsDENYPrevents clickjacking attacks
X-Content-Type-OptionsnosniffPrevents MIME type sniffing
X-XSS-Protection0Disabled (using CSP instead)
X-Download-OptionsnoopenPrevents IE from executing downloads
X-Permitted-Cross-Domain-PoliciesnoneRestricts Adobe Flash/PDF policies
Referrer-Policystrict-origin-when-cross-originControls referrer information
Content Security Policy (CSP)
  • Restricts resource loading to trusted sources only
  • Blocks inline scripts and styles (with specific exceptions)
  • Prevents mixed content
  • Includes violation reporting endpoint

3. Rate Limiting & DDoS Protection

Implementation
  • Gem: rack-attack v6.7
  • Configuration: /config/initializers/rack_attack.rb
Throttling Rules
EndpointLimitPeriodPurpose
General requests3005 minutesPrevent request flooding
Login attempts (IP)520 secondsPrevent brute force
Login attempts (email)520 secondsPrevent credential stuffing
Password resets51 hourPrevent abuse
Sign-ups315 minutesPrevent spam accounts
API requests1001 minuteAPI rate limiting
Export downloads101 hourPrevent data scraping
Additional Protection
  • Blocks suspicious user agents (bots, crawlers, scrapers)
  • Blocks requests with no user agent
  • Safelist for localhost and trusted IPs
  • Custom 429 responses with rate limit headers

4. Session Security

Implementation

Configuration: /config/initializers/session_store.rb

Security Features
  • Secure cookies — HTTPS-only in production
  • HttpOnly flag — Prevents JavaScript access
  • SameSite=Lax — CSRF protection
  • Auto-expiry — Sessions expire after 12 hours
  • Encrypted storage — Rails encrypted cookie store

5. Authentication & Authorization Security

Authentication Monitoring

Configuration: /app/controllers/concerns/security_monitoring.rb

Features
  • Logs all authentication events (login/logout)
  • Tracks failed login attempts by IP
  • Detects brute force patterns
  • Alerts on suspicious activity (5+ failed attempts)
Authorization
  • Uses Pundit for fine-grained access control
  • Logs all authorization failures via MultiTenantErrorHandling concern
  • Multi-tenant isolation via acts_as_tenant

6. Input Validation & Injection Prevention

SQL Injection Protection
  • ActiveRecord parameterized queries (Rails default)
  • Additional query sanitization logging
  • Detection of dangerous SQL patterns (UNION, EXEC, etc.)
XSS Prevention
  • Rails HTML escaping (default)
  • CSP blocking inline scripts
  • Detection and logging of XSS attempts in parameters
CSRF Protection
  • Rails CSRF tokens (enabled by default)
  • SameSite cookies for additional protection

7. API Security

CORS Configuration
  • Gem: rack-cors v2.0
  • Configuration: /config/initializers/cors.rb
Controls
  • Restrictive origin policies
  • Limited to specific endpoints (/api/*, /exports/*)
  • Credentials required
  • Method restrictions per endpoint
  • 1MB JSON payload limit

8. Security Monitoring & Logging

Implementation
  • Module: SecurityMonitoring concern
  • Applied to: All controllers via ApplicationController
Monitored Events
  • Authentication attempts (success/failure)
  • Authorization failures
  • Potential SQL injection attempts
  • Potential XSS attempts
  • Rate limit violations
  • CSP violations
Logging Format
{
  "event": "event_type",
  "severity": "high|medium|low",
  "timestamp": "2025-07-16T16:00:00Z",
  "details": {
    "ip": "127.0.0.1",
    "user_id": 123,
    "path": "/path",
    "params": {}
  }
}

9. Database Security

Configuration

File: /config/initializers/database_security.rb

Security Measures
  • SSL/TLS required for production connections
  • Statement timeout — 30 seconds max query time
  • Secure search path — Restricted to public schema
  • Connection pool security — Regular connection reaping
  • Query logging — Disabled in production

10. Dependency Security

Scanning Tools
  • bundler-audit — Checks for known vulnerabilities
  • brakeman — Static security analysis
Current Status
  • No known vulnerabilities (as of July 16, 2025)
  • All dependencies up to date
  • No security warnings from brakeman
Automated Scanning
bundle exec bundler-audit check --update
bundle exec brakeman -q

11. Content Security Policy Reporting

Implementation
  • Endpoint: POST /csp-report
  • Controller: CspReportsController
Features
  • Receives browser CSP violation reports
  • Logs violations for analysis
  • No authentication required (by design)
  • Rate limited to prevent abuse

12. Additional Security Configurations

Secure Development Practices
  • Environment-specific configurations
  • Secrets stored in Rails credentials (not in code)
  • Development mode relaxations for local testing
  • No sensitive data in logs
Production Hardening
  • HTTPS enforced via multiple mechanisms
  • Secure headers on all responses
  • Database connections encrypted
  • Session data encrypted
  • Comprehensive request throttling

Compliance & Standards

OWASP Top 10 Coverage
  • A01:2021 – Broken Access Control (Pundit, session security)
  • A02:2021 – Cryptographic Failures (HTTPS, encrypted sessions)
  • A03:2021 – Injection (Parameterized queries, input validation)
  • A04:2021 – Insecure Design (Security by design principles)
  • A05:2021 – Security Misconfiguration (Secure defaults)
  • A06:2021 – Vulnerable Components (Dependency scanning)
  • A07:2021 – Authentication Failures (Rate limiting, monitoring)
  • A08:2021 – Software and Data Integrity (CSRF, secure sessions)
  • A09:2021 – Security Logging (Comprehensive monitoring)
  • A10:2021 – SSRF (Input validation, CORS policies)

Testing & Verification

Security Testing Commands
# Check for vulnerable dependencies
bundle exec bundler-audit check --update

# Run static security analysis
bundle exec brakeman

# Test rate limiting
curl -I http://localhost:3000/ -H "User-Agent: bot"

# Verify security headers
curl -I https://yourdomain.com/ | grep -E '^(Strict-Transport-Security|X-Frame-Options|Content-Security-Policy)'

Incident Response

Security Event Detection
  • Real-time monitoring via Rails logs
  • Tagged security events for easy filtering
  • High-severity alerts for immediate attention
Log Locations
  • Application logs: log/production.log
  • Security events: Tagged with [SECURITY]
  • CSP violations: Tagged with [CSP_VIOLATION]

Recommendations for Ongoing Security

1. Regular Updates
  • Run bundle exec bundler-audit weekly
  • Update dependencies monthly
  • Security patches within 24 hours
2. Monitoring
  • Set up alerts for security-tagged log entries
  • Monitor rate limit violations
  • Review CSP violation reports
3. Testing
  • Quarterly penetration testing
  • Annual security audit
  • Continuous dependency scanning
4. Additional Measures
  • Implement WAF (e.g., Cloudflare)
  • Enable 2FA for all admin users
  • Regular security training for developers