Skip to main content

secure_string_comparison

🔒 Use Secure Compare for Tokens

Avoid timing attacks when comparing sensitive strings by using ActiveSupport::SecurityUtils.secure_compare instead of ==.

token_from_request = params[:token]
if ActiveSupport::SecurityUtils.secure_compare(token_from_request, stored_token)
  # tokens match
else
  # tokens do not match
end

🔒 Use Secure Compare for Tokens