Best practice security measures for an enterprise Rails app?

What security measures should a Rails enterprise app have?

Examples of few security measures:

Admin area authenticated and IP restricted

No User added CSS, because of some ol开发者_Python百科d browsers can run JavaScript in CSS

Should User information in database be encrypted?

I would suggest looking over the Rails Security Guide which should go over the common pitfalls that you would usually encounter. Also check out the additional resources that they list on the guide:

The security landscape shifts and it is important to keep up to date, because missing a new vulnerability can be catastrophic. You can find additional resources about (Rails) security here:

• The Ruby on Rails security project posts security news regularly: http://www.rorsecurity.info
• Subscribe to the Rails security mailing list
• Keep up to date on the other application layers (they have a weekly newsletter, too)
• A good security blog including the Cross-Site scripting Cheat Sheet

There are a lot of essential security precautions such as a strong authentication system, validating user input to mitigate XSS and SQL injection attacks and escaping HTML at the views.

You can find information about common Ruby on Rails application vulnerabilities and their countermeasures at the Zen Rails Security Checklist.