Every product we build deals with user authorization. Users may only access certain features or data based on their permissions within the app. While we want to ensure users can access everything they should, we also want to ensure they can’t access anything they shouldn’t. This is why we default to deny all user privileges when starting a new app.

What is Default to Deny?

Network security practitioners are familiar with a similar concept. The National Institute of Standards and Technology (NIST) issued security guidance that describes a “deny by default / allow by exception” security control. The idea is simple: deny all network traffic by default and only allow traffic that is explicitly authorized. This concept is more broadly known as the principle of least privilege.

“Default to deny” is our application of this principle to mobile and web apps. When we start a new app, users are initially denied access to all features and data. We then explicitly grant access to the things the user is permitted to access.

Why is Default to Deny Important?

Defaulting to deny is an important safeguard for user data. Let’s say we have an app that lets users purchase books. Users save their credit card information in the app so they don’t have to re-enter it every time they make a purchase.

If we let every user access everything by default, what might happen? We could miss all of the ways that credit card data could be accessed. A malicious user could probably find a way to steal credit card numbers from other user accounts. We certainly don’t want that! So why don’t we start with the complete opposite position?

If we deny all access by default, no one can steal credit card information. Users also wouldn’t be able to access their own credit card details. That isn’t great, but it’s much better than letting anyone see all credit card numbers. And opening up user permissions just a little bit is much easier than trying to find all the ways sensitive data might be accessed.

By defaulting to deny, we can be confident that no one is doing anything unless it is explicitly allowed. Our users’ data is protected from accidental exposure and malicious attacks.

How to Implement Default to Deny

As an example of how to default to deny, consider a Ruby on Rails app (as we tend to do). The primary way a user interacts with the app is through API endpoints powered by controllers. We use Pundit, a popular authorization library for Rails, to manage user permissions.

Using a BaseController class, we can define an after_action that ensures an authorization check is performed on all requests by default.

class BaseController < ActionController::Base
  include Pundit::Authorization
  after_action :verify_authorized
end

Then we can define a base Pundit policy that denies all access by default. Note that we don’t need to define any actions in the policy. Pundit will automatically check for a policy method that matches the controller action. However, actions are defined in our example to make it clear that we are denying access by default.

class BasePolicy
  def index?
    false
  end

  def show?
    false
  end

  def create?
    false
  end

  def update?
    false
  end

  def destroy?
    false
  end
end

Now, we can have any controller inherit from BaseController and Pundit will deny all access to all actions. For each model class we define, we can add a new Pundit policy that inherits from BasePolicy. Then we can explicitly allow access to the actions we want to allow. Consider the following policy example for a Book model. All users can use the index or show actions, but only administrators can use the create, update, or destroy actions.

class BookPolicy < BasePolicy
  def index?
    true
  end

  def show?
    true
  end

  def create?
    user.admin?
  end

  def update?
    user.admin?
  end

  def destroy?
    user.admin?
  end
end

Starting With Security

Default to deny is a simple concept that can have a big impact on the security of your app. By denying all access by default, you can be confident that no one is doing anything unless it is explicitly allowed. This is especially important for apps that deal with sensitive user data. Consider defaulting to deny when starting your next app and see how much more confident you feel about your authorization rules.