finds.dev← search

// the find

brunofacca/zen-rails-security-checklist

★ 1,815 · Ruby · MIT · updated Mar 2020

Checklist of security precautions for Ruby on Rails applications.

A security checklist for Rails 4 and 5 applications, covering the OWASP Top 10 and Rails-specific gotchas. It's a reference doc, not a gem — you read it and tick boxes. Useful for developers who want a structured audit of an existing app or a starting point for a new one.

Covers Rails-specific XSS traps that most generic checklists miss — the HAML `!=` operator, `render inline:`, JSON-in-script-context, and the `\A`/`\z` vs `^`/`$` regex anchor distinction are all genuinely non-obvious and worth having in a checklist. The Pundit section is concrete and includes actual code patterns rather than hand-wavy advice. The injection section correctly distinguishes SQL injection from command injection and covers the eval/system family. External links to rails-sqli.org and OWASP cheat sheets are well-chosen.

Last updated March 2020 — five-plus years stale. Rails 6 and 7 shipped meaningful security changes (encrypted attributes, cookie serializer defaults, CSP nonce helpers, Zeitwerk affecting some attack surfaces) that aren't here. The credential/master.key section reflects Rails 5.2 patterns and some of the advice is now outdated. The CSP section is effectively empty — a placeholder with one external link — which is a significant omission given CSP is one of the more complex things to get right. The repo is a single README with a stub Ruby file; there are no tests, no CI, and no indication of active maintenance, so you're essentially adopting a frozen snapshot.

View on GitHub →

// want more like this?

We dig through GitHub every week and send a few repos picked for what you actually care about — each with an honest take like this one.

Get finds in your inbox → Search again →