// the find
brunofacca/zen-rails-security-checklist
Checklist of security precautions for Ruby on Rails applications.
A security checklist for Rails 4 and 5 applications, covering the OWASP Top 10 and Rails-specific gotchas. It's a reference doc, not a gem — you read it and tick boxes. Useful for developers who want a structured audit of an existing app or a starting point for a new one.
Covers Rails-specific XSS traps that most generic checklists miss — the HAML `!=` operator, `render inline:`, JSON-in-script-context, and the `\A`/`\z` vs `^`/`$` regex anchor distinction are all genuinely non-obvious and worth having in a checklist. The Pundit section is concrete and includes actual code patterns rather than hand-wavy advice. The injection section correctly distinguishes SQL injection from command injection and covers the eval/system family. External links to rails-sqli.org and OWASP cheat sheets are well-chosen.
Last updated March 2020 — five-plus years stale. Rails 6 and 7 shipped meaningful security changes (encrypted attributes, cookie serializer defaults, CSP nonce helpers, Zeitwerk affecting some attack surfaces) that aren't here. The credential/master.key section reflects Rails 5.2 patterns and some of the advice is now outdated. The CSP section is effectively empty — a placeholder with one external link — which is a significant omission given CSP is one of the more complex things to get right. The repo is a single README with a stub Ruby file; there are no tests, no CI, and no indication of active maintenance, so you're essentially adopting a frozen snapshot.