We have just released Hanami 2.2!
Read the announcement.
Security
Features
We believe in a secure web, made by secure applications.
We offer advanced security features to protect against common attacks.
Hanami implements synchronized tokens against Cross-Site Request Forgery (CSRF), automatic HTML escaping to prevent Cross-site Scripting (XSS), a clear database API to avoid SQL Injection, Content-Security-Policy to stop untrusted assets to be loaded by you customer's browser, and other features.
We actively ship security improvements and assess for new vulnerabilities.
Reporting a vulnerability
If you find a vulnerability, please be responsible and do not share it publicly. Instead, please contact us:
If you don't get an answer, please contact privately Luca Guidi or another member of the core team
If none of those worked, please announce on the chat that you have a security problem to report. Please do NOT share the problem in chat, as it's a public channel
Disclosure policy
Once we'll have received the security report, we'll proceed like this:
Once the security report is received, we'll assign it to a primary contact. This person is responsible for the entire process
When the problem is confirmed, we'll determine the supported versions affected and audit the code to find similar vulnerabilities
We'll write patches, but not share them over our GitHub organization until the end of the process
We'll contact the vulnerability reporter again, to double-check that the patches fix the problem
We'll obtain a CVE from MITRE
We'll apply the patches to our codebase over GitHub, release the gems over Rubygems, and write a public announcement.
We'll try our best to handle the process in a timely manner, please be patient.
We are dedicated to building and maintaining a secure framework, but we're all volunteers.
Anatomy of an announcement
The security announcement will contain:
A detailed description of the problem
The CVE ID (if present)
The steps that we'll take to prevent similar problems
The affected/non-affected versions
The released versions
The patches as downloadable files
Supported versions
We currently support the 2.x and 1.x series of Hanami.