CSRF token fixation attacks in Devise

Devise has been reported to be vulnerable to CSRF token fixation attacks. The attack can only be exploited if the attacker can set the target session, either by subdomain cookies (similar to described here) or by fixation over the same Wi-Fi network. If the user knows the CSRF token, cross-site forgery requests can be made. … »

Using Boxen for automating our development setup

Rafael França shows how Plataformatec manages the development setup using Boxen, a tool created on top of puppet to automate machine setups.

How to properly mirror a git repository

When people talk about mirroring a git repository, usually we have a simple answer in mind: Just git clone the repo and you’re set!! However, what we want with mirroring is to replicate the state of an origin repository (or upstream repository). By state, we mean all the branches (including master) and all the tags … »

Devise and Rails 4

Devise 3.0 rc version with Rails 4 compatibility and new 2.2.4 stable version. Simple Form, Responders, Show For and Mail Form versions with Rails 4 compatibility.

Take a look at Simple Form and Devise brand new logos

We are very glad to announce the logos for two of our favorite Rails open source projects… Simple Form: And Devise: We would like to congratulate our designer, Bruna Kochi, who was able to capture the essence of each project in their logos. We will write about their design process soon! Those projects have been … »

Extending and customizing 3rd party code

We have a gem available for every kind of feature or scenario we might face in our applications and that may help us focus our development time on things that are more important to our applications. But, every now and then, these packaged solutions aren’t exactly what we need, and some sort of customization needs … »