A community-driven, practical checklist to help Rails developers implement essential security best practices in their applications.
:key: Community-driven Rails Security Checklist (see our GitHub Issues for the newest checks that aren't yet in the README)
This tool serves as a comprehensive security checklist specifically for Ruby on Rails applications, guiding developers through key security precautions across controllers, routes, views, and more. It is ideal for Rails developers and teams aiming to improve their app's security posture by following community-vetted recommendations. It also helps identify common security pitfalls and encourages defense-in-depth strategies.
This checklist is not comprehensive and was originally created by a Rails developer with an interest in security, not a security expert; users should consult security professionals for thorough audits. It emphasizes selective disabling of security callbacks and defense-in-depth by duplicating checks in routes and controllers. Users should also ensure non-production engines are not exposed in production environments.