As I was struggling to secure my rails app, I thought this tutorial come right on time, unfortunately I'm still having a crucial problem.
While I could follow the steps, and configure rack-cors to allow requests from specific domains, what I really need to do now is make sure only my app can call the pages such as that /users.json. With rack-cors I can avoid other websites calling my site, but how can I avoid people calling the pages via curl for example ?
I wrote ruby wrappers to call other apis so that I would not expose my credentials in the javascript calls, so now my credentials are hidden, but I build access points who are totally opened to the world, even easier to use than the original API's as they don't require authentication....
I thought adding "protect_from_forgery" in the controller should take care of this but it has no effect.
is there a way to secure get requests as such ? or do I need to rewrite my app to use posts instead ? I'm a bit lost because I learned this process following this other tutorial https://www.driftingruby.com/episodes/deeper-dive-into-stimulusjs
Wow, that looked doable.....a whole day trying to install ruby in any possible way (build, rbenv, ram, asdf). hell of nightmare of openssl version mismatch....
M1 chips and Big Sur are absolutely not ready for developers, stay away !!!!
A little tricky to put in place, got it almost all working, but as I was trying out an even more extreme solution, from Dex running on a samsung s9, there was just too much lag and bugs to seriously work. (but will probably work at some point with newest phones)
since that I came across gitpod.io, to my opinion a much better approach to a remote development environment. I highly recommend checking it out
