Ruby on Rails source code security / obfuscation [duplicate]

Question

I'm just getting started with Ruby on Rails development and I have a question concerning source code "privacy".

From what I know so far (i have not done a deployment yet, only used RoR in a local development environment), that when a RoR application is deployed, all the source code is "visible" on the server?

How can I protect my code; so to speak? By protection I mean, the main purpose being that someone (such as a server administrator on a RoR provider) not being able to "sabotage" the code by easily figuring out what place in the code to "fiddle with".

How do sites like Shopify, Yellowpages etc. that use RoR, ensure that their code isn't "sabotaged"?

UPDATE What I'm really looking for is, suppose if I have some code that's doing Credit Card transactions, I don't want some rogue employee reading "plain text source code" and sabotaging my website, say by reading my source code and then charging everyone of the signed-up users $10 as a gag. How do I prevent that sort of thing?

Sites like Shopify, Yellowpages etc. most likely run their own server, so they don't care the server admin can read the code. If you use a bonafide hosting provider, I don't think there is a need to protect your code. — Mischa
– Mischa, Commented Sep 11, 2010 at 7:20
@captiontokyo, so what you're saying is that there is no need to obfuscate the code either? — Zabba
– Zabba, Commented Sep 11, 2010 at 7:32
If you are accepting payments, do not roll your own or store the data on your servers. Go through places like Fastspring and/or Paypal. The amount of regulations is mind-boggling and all it takes is one error on your part to put you in legal hot-water. — user370731
– user370731, Commented Sep 11, 2010 at 20:52

userx · Accepted Answer · 2010-09-11 07:42:31Z

13

Similar to Matt Briggs's point is that if you don't trust your web host, you're addressing the wrong problem.If your web host wants to steal your data, cripple your website, redirect your users, etc., nothing can stop them. Even if the code is fully compiled binary code written in assembler, your admin could still find a hack, replace resources, or replace your code altogether. Moral of the story, find a web host you trust, don't bother obfuscating your code

answered Sep 11, 2010 at 7:42

userx

3,8151 gold badge26 silver badges34 bronze badges

Sign up to request clarification or add additional context in comments.

4 Comments

Zabba Over a year ago

Well, how can one trust any 3rd party anyway? When I have some "X" purpose in mind, and I have to depend on a webhost I have no control over, how can I "trust" them anyway? That's the whole question burning in my mind.

NullUserException Over a year ago

@Zabba You are being quite a bit paranoid here. In a sue-happy country like ours, doing anything like that would be extremely stupid on their part.

userx Over a year ago

The more legitimate concern is probably being on a shared server and it not properly being configured allowing your data / code to be comprised. The way more companies get around this is by buying and securing their own servers. Even with that, few actually host their servers in house. Server hosts are motivated NOT to steal from you because (a) it is illegal and they don't want to get sued and (b) if they did steal your code, no one would use their services. No offense, but your code is not likely worth more than the sum of income from all their customers for even one month.

the Tin Man Over a year ago

I work at a place that hosts a lot of sites. I seriously doubt most people in a similar position have any interest in what is on the sites, nor do they have time to screw around with them. It's really not that interesting to us.

Matt Briggs · Accepted Answer · 2010-09-11 07:23:12Z

9

At the end of the day, there is trust involved. If your admin wants to screw you, he will, and obfuscation won't do much to stop him.

answered Sep 11, 2010 at 7:23

Matt Briggs

42.4k17 gold badges103 silver badges128 bronze badges

3 Comments

Zabba Over a year ago

If an app was in x86 assembler, that would make it less susceptible, right?

Matt Briggs Over a year ago

Probably, but the guy controls the server. If he wants, he could fake the styling of your app, put his own somewhere else, and redirect folks over there. Or he could just look in your database, usually that contains more valuable and sensitive things then your app code anyways

user370731 Over a year ago

Zabba-Only if the admin doesn't know assembly.

Jirapong · Accepted Answer · 2010-09-11 08:31:46Z

9

From my experience, When you sell a produce that deploy to customer server. I use

http://rubyencoder.com/

It works in many platform from its loader. But like other said, rails should be open.

answered Sep 11, 2010 at 8:31

Jirapong

24.3k10 gold badges57 silver badges75 bronze badges

1 Comment

Anil Muppalla Over a year ago

Is there an opensource alternative?

Nich · Accepted Answer · 2010-09-11 18:46:37Z

5

I think that this is what you are looking for

http://rubyencoder.com/overview.html

answered Sep 11, 2010 at 18:46

Nich

2832 silver badges12 bronze badges

Comments

NullUserException · Accepted Answer · 2010-09-11 07:42:25Z

3

I highly doubt a reputable hosting service will fiddle with your code. They are busy enough running their servers. And if they wanted to, there's not much you can do to stop them. Code obfuscation (in any language) is a silly thing to do.

Regarding your security concerns, I just hope you are not going to be storing any credit card information on your website. You must comply to PCI standards in order to do that, and that's not an easy thing to accomplish. Storing CC info without being PCI compliant is illegal.

So you will have to use a payment gateway (like PayPal or Authorize.net) for your payments, and I believe the user will be able to see what they are being charged.

answered Sep 11, 2010 at 7:42

NullUserException

85.8k31 gold badges212 silver badges239 bronze badges

Comments

nathanvda · Accepted Answer · 2010-09-11 13:31:39Z

A hosting company will never ever touch or investigate your code, unless you are doing things that hurt there server (like infinite loops, eating away all CPU), and even in that case they will just block that page or url.

I can imagine if you deploy your application to an intranet of a company, and they also have their developers, that one might be afraid to loose out on maintenance and support fees because they would take over themselves. But those things you cover with contracts.

The people having direct access to your ruby source-code are supposed to be co-workers or partners, were there is a clear business relationship, and normally this business-relationship is worth more. If you do not trust your co-workers or the people you work with or for, then i think you should reconsider your position.

I even believe that being as loose as possible with clients (here is the source, you can edit it if you want), generally makes them trust you even more and make them more likely to call you back.

Collectives™ on Stack Overflow

Ruby on Rails source code security / obfuscation [duplicate]

6 Answers 6

4 Comments

3 Comments

1 Comment

Comments

Comments

Comments

Linked

Hot Network Questions

Collectives™ on Stack Overflow

6 Answers 6

4 Comments

3 Comments

1 Comment

Comments

Comments

Comments

Linked

Related