Skip to main content

timing_attack_secure_compare

⏱️ Mitigating Timing Attacks with secure_compare

Plain == leaks information via early exit on mismatch. Always use constant-time comparison for tokens, digests, or any sensitive string equality checks.

# app/services/token_validator.rb
class TokenValidator
  def self.valid?(provided_token, stored_token)
    return false unless provided_token.bytesize == stored_token.bytesize
    ActiveSupport::SecurityUtils.secure_compare(provided_token, stored_token)
  end
end

In controllers or services, call TokenValidator.valid? instead of == when verifying API keys, session tokens, or 2FA codes.