Yi Mei Wang

Hey everyone, so I deployed my app onto Digital Ocean according to the Gorails guide and I managed to get it working. My is able to connect to DO's managed database, and serve content normally.

I moved on to set up log rotation, but it seems like there is no "production.log" anywhere in my app? I can see all of Rail's incoming request logged on nginx's error.log but nothing is actually written the production.log. I am very confused as to why this happens?

Since these are requests log, it doesn't seem right that it would be in the error log. But it also seems like Nginx handles it's own log rotation because I see that everytime I run the command /usr/sbin/logrotate -f /etc/logrotate.conf, it automatically deletes the old logs.

I'd appreciate if anyone can explain why or how to fix this? It also feels like I could just leave it as it is, since ultimately requests are being logged, though I'm not sure if this is a good practice.

So I'm working on an app where the Admin dashboard is built on Vue and backend is Rails. There are parts where the Admin can update some Rich Text content, and it will be rendered by Rails. But in doing so, I think there's a possibility that the Rich Text data will introduce some XSS vulnerability considering when Rails render it, it will render with the html markup. I know Rails has some view helpers to sanitize output, but I think it's not a good enough solution because it requires every single developer to remember to do that, which is very prone to human error.

What are some ways to prevent these XSS issues, and if possible, when you guys explain, can you go a little bit more in-depth with your suggestion explanations in each step? Solving this issue aside, I think it's one side of development that's quite interesting and I just generally want to learn more about this

That's an incredibly simple and elegant solution. Thank you so much Chris!

I'm just curious, is it possible to write vue.erb? Does Rails know how to handle this by default or do you have to do some config magic?

In terms of using Rails/Vue, personally my current practice is to separate them entirely. I build a Vue app that interacts with my Rails API because I use a lot of 3rd party components, and it's simply easier to do that in a separate app altogether.

My Vue app handles it's own routing and static assets, Rails handles it's own API routes and assets, so I do not miss any of the image helpers or link helpers.

That being said,, Vue is a framework that is incrementally adoptable. So you can actually use Vue with a CDN and use it with your html.erb without any issues. If you have existing front end code and a sudden jump to an entirely different Vue app is too much work, it's worth considering this option.

So I am working on a multitenancy app that needs to store users' API keys for 3rd party services, but given that these are rather sensitive information, I imagine I should have some form of security to protect these data? But I'm really not sure what is the best practice or approach to these situations.

Have you guys done anything like that? I've also read that some people salt and hash the credentials, but in that case, I don't think i'd be able to decrypt and read it?