Security Questionaires

Some customers, large and small have a security questionnaire that they ask about your security practices. Please contribute as you get these questions.

1. What is the name of the framework that generates your Session IDs?
   • Ruby on Rails / Devise
2. Do sessions automatically time out after a specified period of inactivity?
   • Yes
3. How long is the session timeout?
   • Configured in session_store.rb
4. Does the application use a secure cryptographic psuedo random number generator?
   • Yes
5. The HttpOnly setting is set for authentication cookies
   • Yes (by default, overridable in session_store.rb (and N/A if using soley session store)
   • No (if you have turned this off)
6. Session cookies are marked secure
   • Yes
7. HSTS Security
   • No (unless implemented in headers/nginx) (Http redirecting to HTTPS via ForceSSl type gems do not count)
8. Session Ids Can be Constructed in many ways, select the methods used in your application
   • Framework has built in session ID mechanism
   • Our session IDs are randomly generated strings or numbers
   • We store a signed token as a cookie to indicate that the user is successfully logged in