Session Settings
HTTP Only
It is recommended that session cookies be set to “http-only”. This helps prevent stealing of cookies via cross site scripting.
Secret Length
Brakeman will warn if the key length for the session cookies is less than 30 characters.
Version control inclusion
Brakeman will warn if the config/initializers/secret_token.rb is included in the version control. It is recommended that secret_token.rb is excluded from version control, and included in .gitignore
Back to Warning Types