[Rails] Adding SameSite and Secure attributes ~ Rails security measures ~

Introduction

** There was a study session on cookie security in-house, so I will summarize what I learned ~ ~ **: writing_hand :: writing_hand: ** Rails is an excellent framework, so it comes standard with decent security measures. ** ** You can implement it without thinking too much about security. It's both good and bad: runner :: runner:

Release of Google Chrome 80

Google Chrome 80 was officially released on February 4, 2020 (local time). https://developers-jp.googleblog.com/2019/11/cookie-samesitenone-secure.html With this version upgrade, the SameSite attribute of the ** default cookie has been changed from None to Lax **. Also, if you set the ** SameSite attribute to None, you must add the Secure attribute **.

??? what is that? ??

I didn't come to the point, and some people may not understand it, so I will explain it roughly.

SameSite attribute

** SameSite attribute is an attribute given to cookies to protect users from cyber attacks called CSRF (Cross-Site Request Forgery) **. Think of it like setting cookie options for security.

From Google Chrome 80, the default value of this has changed from None to Lax. Simply put, it's ** more secure **. Recently, Google is strict about security measures ~

** The SameSite attribute is divided into three stages. ** **

attribute Contents
None Cookies can be passed across domains
Lax (GET request only) Cookies can be passed across domains
Strict Cookies cannot be passed across domains

In terms of security level ** None <Lax <Strict ** That's right.

In other words, is it possible to pass cookies across domains? Can't you? It is a setting to set the difference!

secure attribute

The Secure attribute is an attribute that controls the behavior of non-HTTPS cookies **. ** Cookies with the Secure attribute can be sent only for HTTPS communication. ** ** In short, cookies are less likely to be stolen.

** From Google Chrome 80, it has been changed to the specification that the Secure attribute must be added when SameSite is None. ** **

In other words, it is a message from Google that "Same Site is None? Security is uncertain, so at least add the Secure attribute."

Rails settings

Now that you understand the specifications of Google Chrome 80 and the SameSite attribute and secure attribute, let's set it with Rails!

Gemfile


gem 'rails_same_site_cookie'

Terminal


bundle install

**Yes. Only this. ** **

No special settings are required. Just install the gem "rails_same_site_cookie". It's really easy. The SameSite = None; Secure attribute will be automatically added to all cookies.

Confirmation method

The confirmation method is also easy. From chrome validation, click Application to see the contents of the cookie in use. It is OK if the ** secure attribute is checked and the SameSite attribute is None **.

スクリーンショット 2020-10-23 18.31.24.png

in conclusion

I met a ridiculous hacker at a study session, so I'm developing while shaking every day: baby :: baby:

Recommended Posts

[Rails] Adding SameSite and Secure attributes ~ Rails security measures ~
Rails CSRF measures and html files under public
Rails and FormData