devise-token-auth
Search…
Installation
Configuration
Usage
FAQ
Conceptual Diagrams
Security
Powered By
GitBook
Security
This gem takes the following steps to ensure security.
This gem uses auth tokens that are:
changed after every request
(can be
turned off
),
of cryptographic strength
,
hashed using
BCrypt
(not stored in plain-text),
securely compared (to protect against timing attacks),
invalidated after 2 weeks (thus requiring users to login again)
These measures were inspired by
this stackoverflow post
.
This gem further mitigates timing attacks by using
this technique
.
But the most important step is to use HTTPS. You are on the hook for that.
Previous
Token Management
Last modified
4yr ago
Copy link