Rosa Gutierrez d88949288c Check and report on Sec-Fetch-Site header for forgery protection
This is a great, solid alternative to CSRF tokens for CSRF protection
when we aren't worried about older browsers or other kind of actors
doing modifying requests in our app, and could be a good test for future
upstreaming to Rails (although there we'd need to continue using CSRF
tokens or at least letting people opt out manually).

Let's start checking the header and reporting on it when CSRF fails or
when it doesn't match the other checks Rails does, and then promote this
to be the only way to defend from CSRF.
2025-11-25 19:19:50 +01:00
2025-11-17 09:12:41 -05:00
2025-11-25 14:09:31 +01:00
2024-06-21 13:19:56 +01:00
2025-11-10 12:33:29 -08:00
2025-11-24 14:21:42 -05:00
2024-06-21 13:19:56 +01:00
2024-06-21 13:19:56 +01:00
2024-06-21 13:19:56 +01:00
2024-06-21 13:19:56 +01:00
2025-10-08 14:06:28 -07:00
2025-11-17 09:12:17 -05:00
2025-10-09 13:24:01 -07:00
2025-11-20 10:20:02 -05:00
2025-11-21 14:53:29 +00:00
2025-10-23 15:35:57 -07:00
2024-06-21 16:42:48 +01:00
2025-11-20 10:20:02 -05:00
2025-11-20 10:20:02 -05:00

Fizzy

Setting up for development

First get everything installed and configured with:

bin/setup

If you'd like to load fixtures:

bin/rails db:fixtures:load

And then run the development server:

bin/dev

You'll be able to access the app in development at http://fizzy.localhost:3006

Running tests

For fast feedback loops, unit tests can be run with:

bin/rails test

The full continuous integration tests can be run with:

bin/ci

Tests

Outbound Emails

Development

You can view email previews at http://fizzy.localhost:3006/rails/mailers.

You can enable or disable letter_opener to open sent emails automatically with:

bin/rails dev:email

Under the hood, this will create or remove tmp/email-dev.txt.

Environments

Fizzy is deployed with Kamal. You'll need to have the 1Password CLI set up in order to access the secrets that are used when deploying. Provided you have that, it should be as simple as bin/kamal deploy to the correct environment.

Beta

Beta is primarily intended for testing product features.

Beta tenant is:

This environment uses local disk for Active Storage.

Staging

Staging is primarily intended for testing infrastructure changes.

This environment uses a FlashBlade bucket for blob storage, and shares nothing with Production. We may periodically copy data here from production.

Production

This environment uses a FlashBlade bucket for blob storage.

S
Description
No description provided
Readme 62 MiB
Languages
Ruby 67.8%
HTML 14.6%
CSS 10.8%
JavaScript 5.6%
Shell 0.9%
Other 0.3%