This is a trend that we’ve seen with pretty much every popular programming language out there – like for example PHP, which sadly still holds the record for most insecure websites written in the language.

One very popular web framework these days is Ruby on Rails, created by the very talented 29 year old Danish guy David Heinemeier Hansson. It uses a Model-View-Controller construction and emphasizes good design by such principles as DRY (Don’t Repeat Yourself). By all means it’s a very good web framework! But as with PHP, a lot of newcomers get it wrong. Either by not following the Ruby on Rails conventions or by ignoring security!

Now, we’re not here to teach you about design. If you want to learn more about proper software design, a good place to start is simply your local library. Look for books on topics like Design Patterns, Software Engineering, Extreme Programming, Test Driven Development and Agile Software Development.

However what we do want to teach you about, is proper security in Ruby on Rails! Luckily, we don’t have to take out extreme amounts of time from the work we need to do, to get you trained in RoR security – instead we can simply refer to the work already done by the OWASP organization. OWASP is an organization working to improve web application security in the entire world, by means of a whole bunch of different projects for developers, security professionals and end users. One of these projects is the Ruby on Rails Security Guide V2 project which includes a PDF file detailing the different security concerns and solutions concerning Ruby on Rails development.

If you are going to develop Ruby on Rails applications (or if you’re simply curious) please download the Ruby on Rails Security Guide from OWASP and read it before doing any production deployment of applications.

Note: If you’re too busy to go to the project page on OWASP and find the download link, then here’s a direct download link instead: Download the Security Guide

Normally you want to make sure your server doesn’t give out any information about service versions, however mod_rails doesn’t provide any easy way of doing this within the module itself. There is however a fairly easy solution. Simply use mod_headers to remove the headers in Apache.

So how is it done? Very simple, just enable the module mod_headers and add the snippet below to httpd.conf or another included configuration file in Apache. Both actions have to be done as root of course.

Enable the mod_headers module (This example is Linux Debian – it might be different for your system)

# cd /etc/apache2/mods-available/
# a2enmod headers

Add these lines to httpd.conf

Header always unset "X-Powered-By"
Header always unset "X-Runtime"

Restart the Apache server (Again – this is Debian! It might be different for you)

# apache2ctl restart

And there you go. Try making e.g. a Nikto scan on the server and see if the headers aren’t there any more.