Authlogic, is it secure enough out of the box?

Question

I've managed to setup authlogic, and quite nice it appears too. Is it secure enough out of the box?

I haven't really configured it too much. I'm going to be using it on a school website where the headmaster basically logs in with username and password to edit notices on the website. So it needs to be secure, but it ain't a bank or an e-commerce site or anything.

All I've done is restrict access to all the edit pages so you need username password and was going to leave my security at that. What do you think?

Answer 1

Restrict access to new, create, edit, update and delete (so only show actions are 'in the clear').

Other than that, I've never come across mention of any Authlogic security issues with a default configured Authlogic setup. Most of the configuration options are provided for dealing with specific requirements imposed by certain environments rather than something that is required for clean environments.

Answer 2

Be sure to add functional tests to ensure that anyone who is not logged on cannot do new, create,edit,update and delete actions. The beauty with tests in this situation is that sometimes they weed out things you may have missed in the initial coding.