Insecure Network Communication
Why is this important?
Ensuring that the data in transit is secured between users and your application is the most fundamental security requirement. If this security control is not in place then all bets are off and attackers have many ways to attack your users.
Check out this video for a high-level explanation:
Fixing Insecure Network Communication
Option A: Properly Set SSL Verification
- Go through the issues that GuardRails identified in the PR.
- Replace
OpenSSL::SSL::VERIFY_NONE
:
http.verify_mode = OpenSSL::SSL::VERIFY_NONE
with OpenSSL::SSL::VERIFY_PEER
:
# Ensure that you have a valid certificate, otherwise this will raise
# an OpenSSL::SSL::SSLError.
# get free certificates at https://letsencrypt.org/
http.verify_mode = OpenSSL::SSL::VERIFY_PEER
- Test it
- Ship it 🚢 and relax 🌴
Option B: Use secure source URLs
- Go through the issues that GuardRails identified in the PR.
- Replace instances of
source :XXXXXX
:
source :rubygems
with the explicit secure URL like
source 'https://rubygems.org'
- Test it
- Ship it 🚢 and relax 🌴