devise-token-auth
  • Installation
  • Configuration
    • Initializer Settings
    • OmniAuth
    • Email Authentication
    • Customizing Devise Verbiage
    • Cross Origin Requests (CORS)
  • Usage
    • Mounting Routes
    • Controller Integration
    • Model Integration
    • Using Multiple User Classes
    • Excluding Modules
    • Custom Controller/Email Overrides
    • Reset password flow
    • Testing
  • FAQ
  • Conceptual Diagrams
    • Token Management
    • Batch Requests
  • Security
Powered by GitBook
On this page

Security

PreviousToken Management

Last updated 5 months ago

This gem takes the following steps to ensure security.

This gem uses auth tokens that are:

  • (can be ),

  • ,

  • hashed using (not stored in plain-text),

  • securely compared (to protect against timing attacks),

  • invalidated after 2 weeks (thus requiring users to login again)

These measures were inspired by .

This gem further mitigates timing attacks by using .

But the most important step is to use HTTPS. You are on the hook for that.

turned off
of cryptographic strength
BCrypt
this stackoverflow post
this technique
changed after every request