Security Questionaires

Some customers, large and small have a security questionnaire that they ask about your security practices. Please contribute as you get these questions.

What is the name of the framework that generates your Session IDs?
- Ruby on Rails / Devise
Do sessions automatically time out after a specified period of inactivity?
- Yes
How long is the session timeout?
- Configured in session_store.rb
Does the application use a secure cryptographic psuedo random number generator?
- Yes
The HttpOnly setting is set for authentication cookies
- Yes (by default, overridable in session_store.rb (and N/A if using soley session store)
- No (if you have turned this off)
Session cookies are marked secure
- Yes
HSTS Security
- No (unless implemented in headers/nginx) (Http redirecting to HTTPS via ForceSSl type gems do not count)
Session Ids Can be Constructed in many ways, select the methods used in your application
- Framework has built in session ID mechanism
- Our session IDs are randomly generated strings or numbers
- We store a signed token as a cookie to indicate that the user is successfully logged in

Getting Started

Uh oh!

Security Questionaires

Uh oh!

Uh oh!

Uh oh!

Uh oh!

Uh oh!

Uh oh!

Uh oh!

Uh oh!

Uh oh!

Uh oh!

Uh oh!

Uh oh!

Uh oh!

Uh oh!

Uh oh!

Uh oh!

Uh oh!

Uh oh!

Uh oh!

Uh oh!

Uh oh!

Uh oh!

Uh oh!

Uh oh!

Uh oh!

Uh oh!

Uh oh!

Uh oh!

Uh oh!

Uh oh!

Uh oh!

Uh oh!

Uh oh!

Uh oh!

Uh oh!

Uh oh!

Uh oh!

Uh oh!

Uh oh!

Uh oh!

Uh oh!

Uh oh!

Uh oh!

Uh oh!

Uh oh!

Uh oh!

Uh oh!

Uh oh!

Uh oh!

Uh oh!

Uh oh!

Uh oh!

Uh oh!

Uh oh!

Uh oh!

Uh oh!

Uh oh!

Uh oh!

Uh oh!

Uh oh!

Uh oh!

Uh oh!

Uh oh!

Uh oh!

Uh oh!

Uh oh!

Uh oh!

Uh oh!

Uh oh!

Uh oh!

Uh oh!

Uh oh!

Uh oh!

Uh oh!

Uh oh!

Uh oh!

Uh oh!

Uh oh!