By framework
Ruby on Rails security — Strong Parameters, authorization, and gem CVEs
Rails has safe defaults, but incidents come from operations: over-permissive Strong Parameters (Mass Assignment), thin authorization (auth ≠ authz), and known gem CVEs. Tighten permit, make authorization explicit, monitor gem CVEs. Defensive, no attack steps.
For: anyone running a Ruby on Rails app. No attack steps here — just keeping the safe defaults working while closing the gaps operations open. For the full picture, see the security-by-framework hub.
The big three pitfalls (they open when you leave the defaults)
Rails's defaults are excellent, but these three are yours to guard deliberately.
① Mass Assignment
Permit too broadly and is_admin, etc. get overwritten unexpectedly.
② Thin authorization
Authenticated but no owner scope. ID swap reveals others' data (IDOR).
③ Known gem CVEs
Dependency-gem flaws left unpatched. Judge by running version, patch fast.
Also watch for SQLi via string interpolation into where, passing user input to dangerous dynamic methods (send/constantize), and leaking credentials/secret_key_base.
How to close them (3 steps)
Keep Strong Parameters minimal
is_admin from user input. Drop "permit broadly because it's convenient."Make authorization explicit
current_user and make the policy explicit with Pundit / CanCanCan. Check ownership on every read/update/delete (→ what IDOR is).Monitor gem (dependency) CVEs and patch fast
where, never string interpolation.Common (dangerous)
- Strong Parameters permitted broadly (Mass Assignment)
- no authorization — "logged in = can view"
- known gem CVEs left unpatched
where("... #{params}")string interpolation
Correct
- permit kept minimal
- explicit authorization (current_user/Pundit)
- gems CVE-monitored + patched fast
wherewith placeholders
This site's view: even guarded by conventions, authorization and dependencies are on you
Rails's good defaults erase a lot of risk, but authorization — who may do what — and dependency freshness are the two things a framework can't guard automatically. The incidents we keep seeing are less elaborate attacks than the "authenticated but no ownership check" type. So the center of gravity is tightening Strong Parameters, making authorization explicit, and monitoring gems for CVEs. Unflashy as they are, those three prevent most real-world Rails incidents.
Read next
- Hub: security by framework · Laravel security (same MVC, similar authorization shape)
- Practice: the vulnerability-response playbook · monitoring dependency CVEs
- Glossary: what IDOR is · what SQL injection is
FAQ
QIs Ruby on Rails a secure framework?
Rails is 'convention over configuration' and ships many safe defaults — CSRF protection, Strong Parameters, ORM-based SQL protection are standard. Used correctly it's a solid framework, but stepping outside the defaults or skipping the necessary work opens holes. Over-permissive Strong Parameters, thin authorization, and unpatched gem (dependency) CVEs recur less as Rails-specific issues than as operational ones.
QWhat should I watch for with Strong Parameters?
Strong Parameters explicitly allows (permit) which fields you accept, to prevent Mass Assignment (bulk-assigning unintended fields). The danger is permitting broadly for convenience. Keep permitted fields to the minimum, and never let a privilege field like is_admin be assigned from user input.
QWhy is 'if you're logged in, you can see it' dangerous?
That's authentication without authorization. Rails provides the login (authentication) mechanism, but whether the data truly belongs to that user is app-specific authorization you must write. If you skip scoping resources by current_user or making the policy explicit with Pundit/CanCanCan, swapping the ID in the URL can reveal another user's data (IDOR).