Posted by Luca Guidi on March 23, 2015
This is the most exciting Lotus release ever. We have new features, improved security, and more real world use cases.
Lotus is getting more and more stable. This is the result of real world feedback of products that we are following closely during their development with Lotus.
The first company that we are happy to give a warm welcome in our family is DNSimple. They are maintaining a rock solid Ruby code base that uses Rails for their flagship product and Lotus for their next HTTP API.
Security is a vital factor for companies and a sensitive subject for users. A product won’t survive if not proven secure.
The Web is an insecure place. As a Community, we need to build a Security culture. Lotus wants to increase the level of awareness around this topic and provide defense mechanisms to common attacks.
Please remember that there isn’t a silver bullet when we talk about security. Nearly all protections can be debunked by experienced attackers. Developers should use all the available tools to make hackers’ life harder.
XSS (Cross Site Scripting) is one of the most popular threat for web applications. It’s caused by unescaped malicious input, often sent with forms. Once the payload is on a web page, it can activate evil scripts to take over the control and eventually steal data (cookies).
As first countermeasure, since now on, the output of views, helpers and presenters is escaped by default.
Secondly, cookies will be sent with the
document.cookie. If a malign script wants to steal data, it can’t because the browser will stop it.
We’re not done yet, until we have talked about Content Security Policy (CSP). It’s feature supported by modern browsers to regulate trusted sources of scripts, stylesheets, fonts. It’s the ultimate defense against XSS and insecure script execution on the pages. Big products like GitHub, Twitter and GMail are using it. Lotus is the first Ruby web framework that makes CSP a default.
It’s an attack that leads users to click on an invisible evil item. The trick is to embed a trusted web page via an iframe, so the user believes to interact with it, but instead their actions are hijacked by a harmful context.
The solution is to send a HTTP header (
X-Frame-Options) that regulates which source can embed your web application resources. Again, Lotus is the first Ruby web framework that enables this defense by default.
With this release we have shipped powerful features to make the experience with Lotus more and more frictionless.
While developing a feature that requires an new endpoint, it can be inconvenient to write all the required code by hand. It just breaks the flow.
To solve this problem, we have introduced a new command line utility:
lotus generate action. It produces an action, a view, a template, a route and their related testing code.
We have improved the application generator to allow Lotus applications to meet developers’ needs.
The command now accepts
--database command line argument to setup the database of choice. Example
lotus new bookshelf --database=postgresql.
Another point of extension is the
--test argument. It generates setup code for Minitest (default) or RSpec. Example
lotus new bookshelf --test=rspec.
We added the chance to generate an application for existing code base. Think of a Ruby gem that needs a web UI, with
lotus new . it’s now possible.
As last command line facility, we want to introduce
lotus db console, a database REPL.
Today we have released a new framework in the Lotus family:
lotus-helpers. By following our tradition, it’s shipped as a standalone gem that can be used to enhance views, templates and helpers in Ruby applications, even outside of Lotus.
It delivers a HTML5 markup generator and routing helpers. On the security front, it brings HTML, HTML attribute and URL escape functions that follow OWASP/ESAPI suggestions.
Database transactions, Interactors, logger and safe nested param access are only a few of the features that are available as of today with 0.3.0.
We want to say thank you to Alfonso Uceda Pompa, Linus Pettersson, Huy , Hiu Nguyn, Tom Kadwill, Jimmy Zhang, and all the wonderful people that are making Lotus a better place every day.
We are already developing new functionalities for the next release: database migrations, form helpers, number formatters, CSRF protection and more.