CR
Crystal Security
Security practices for Crystal including nil-safety enforcement, input validation, and secure HTTP patterns
Details
Language / Topic
CrystalCategory
Security
Rules
balanced
- Never use `.not_nil!` on user-controlled data without prior validation — it raises `NilAssertionError` at runtime; use conditional checks or `.try` instead.
- Use `HTTP::Client` with explicit SSL context (`OpenSSL::SSL::Context::Client`) and enforce certificate verification — never pass `tls: OpenSSL::SSL::Context::Client.insecure` in production.
- Use parameterized queries with `DB.open` and `db.exec("SELECT * FROM users WHERE id = ?", user_id)` — never interpolate user input into SQL strings.
- Use `Random::Secure.hex(32)` for cryptographic token generation — never use `Random::DEFAULT` or `rand()` for security-sensitive values.