1 article with this tag
Rails ships conventions and safe defaults (CSRF protection, Strong Parameters, an ORM) and is solid used correctly. But incidents come from operations. The big three: (1) over-permissive Strong Parameters allowing Mass Assignment (overwriting is_admin, etc.), (2) thin authorization (login = authentication, but no owner scope), (3) known gem (dependency) CVEs. Plus SQLi via string interpolation in where, dangerous dynamic methods (send/constantize), and leaked credentials/secret_key_base. Defenses: tighten permit, make authorization explicit, monitor gem CVEs.