H开发者_开发问答ow would i go about securing private use Admin forms in Heroku? These are forms to administer the site - edit master (or static) data, settings etc. Normally I would never expose these to the internet in general and would just apply basic account security on the app to manage internal privileges.
i.e. the sort of things i'm wondering about?
- Is https a must to secure a site when using authlogic?
- Is it possible (how) to configure your webserver to require SSL on certain routes only?
- Is Authlogic + SSL secure enough to secure a page which if compromised could destroy your entire business?
- Is there a way of leveraging heroku's admin account security to lock down a part of a site to it's owner only?
- I guess managing the site using the PG Console would give me the security i require but not the usability.
I don't have a world of Rails, or Heroku, knowledge, but my take on it would be that if your site already requires authentication, go ahead and add the authorization piece for your administrative user(s) that only allow them to access your admin page(s). Check out CanCan for authorization.
If only your admin page(s) require administration, then you can probably get away with just using AuthLogic to make sure an identified user is accessing those admin page(s).
- I tend to think of SSL as a transport concern and that would make it unlikely that AuthLogic would require it. That being said, anytime your passing sensitive data around, passwords, then I would consider SSL a requirement. If the app is securing your grandmothers cookie recipe's, then you might forego the SSL implementation, except for the experience.
- I may be wrong on this, but SSL is for an entire site/domain. If your admin page(s) were hosted on a separate site/domain then that might work.
- AuthLogic + SSL should be secure enough - an admin user getting their password hacked (sticky note, email, etc) will compromise any security you've got in place. If by "destroyed", you mean sensitive customer data leaked, then liability insurance might mitigate that. If you mean that your site will be down, then put in distaster recovery processes to bring your site back up/online (ASAP) and maybe invalidate existing administration credentials?
- Whoosh (completely over my head)
- Whoosh (completely over my head)
HTH,
Z
I would investigate having a local rails admin app that connects to the heroku postgres install. Info on connecting directly: http://devcenter.heroku.com/articles/heroku-postgresql
That way, you are keeping the /admin out of the internet, and is about the same security wise as a "heroku console" vulnerability.
You could secure network access to the local admin service, along with authlogic at the app layer.
The postgresql connections are relatively new, so YMMV
![Interactive visualization of a graph in python [closed]](https://www.devze.com/res/2023/04-10/09/92d32fe8c0d22fb96bd6f6e8b7d1f457.gif)
加载中,请稍侯......
精彩评论