Ruby on Rails

Rails Security

CSRF protection, SQL injection, XSS, mass assignment, secrets management, HTTPS

22 pytań z rozmów·
Senior
1

What mechanism does Rails use by default to protect against CSRF attacks?

Odpowiedź

Rails generates a unique CSRF token per session and automatically includes it in forms via a hidden field. This token is verified server-side for every non-GET request. The form_with helper automatically inserts this token, and protect_from_forgery is enabled by default in ApplicationController.

2

How to disable CSRF protection for a specific action in an API controller?

Odpowiedź

The skip_before_action :verify_authenticity_token method disables CSRF verification for specific actions. This is common for APIs using token-based authentication (JWT, API key) rather than sessions. It's recommended to limit this exception to strictly necessary actions using the only option.

3

What vulnerability is exploited in this code: User.where("name = '#{params[:name]}'")?

Odpowiedź

Direct params interpolation in a SQL query allows SQL injection. An attacker can send name="'; DROP TABLE users; --" to execute arbitrary SQL code. Use ActiveRecord placeholders instead: User.where(name: params[:name]) or User.where("name = ?", params[:name]).

4

Which ActiveRecord method automatically protects against SQL injection?

5

How does Rails automatically protect against XSS attacks in ERB views?

+19 pytań z rozmów

Inne tematy rekrutacyjne Ruby on Rails

Ruby Basics

Junior
25 pytań

Ruby Object-Oriented Programming

Junior
20 pytań

Rails Fundamentals

Junior
18 pytań

Routing & Controllers

Junior
22 pytań

ActiveRecord Basics

Junior
25 pytań

Views & ERB Templates

Junior
20 pytań

ActiveRecord Associations

Mid-Level
24 pytań

Advanced ActiveRecord Queries

Mid-Level
28 pytań

Rails Forms

Mid-Level
20 pytań

Authentication & Authorization

Mid-Level
22 pytań

Modern Asset Pipeline & Frontend

Mid-Level
18 pytań

Rails API Mode

Mid-Level
20 pytań

Testing with RSpec

Mid-Level
24 pytań

ActiveJob & Background Jobs

Mid-Level
20 pytań

ActionCable & WebSockets

Mid-Level
18 pytań

ActionMailer

Mid-Level
18 pytań

ActiveStorage

Mid-Level
20 pytań

Caching Strategies

Mid-Level
20 pytań

Advanced Migrations

Mid-Level
20 pytań

Rails Engines & Modular Apps

Senior
18 pytań

Performance Optimization

Senior
26 pytań

Rails Design Patterns

Senior
22 pytań

Ruby Metaprogramming

Senior
20 pytań

GraphQL with Rails

Senior
20 pytań

Deployment & Production

Senior
20 pytań

Monitoring & Logging

Senior
20 pytań

Rails Upgrade Strategies

Senior
18 pytań

Opanuj Ruby on Rails na następną rozmowę

Uzyskaj dostęp do wszystkich pytań, flashcards, testów technicznych, ćwiczeń code review i symulatorów rozmów.

Zacznij za darmo