From rails-specialist
Use when implementing authentication, authorization, or hardening a Rails application against vulnerabilities. Also applies before deployment to verify security posture, or when reviewing code for mass assignment, XSS, SQL injection, or CSRF risks. Covers strong parameters, Devise, Pundit, security scanning, and deployment checklists.
npx claudepluginhub chaserx/cpc --plugin rails-specialistThis skill uses the workspace's default tool permissions.
Guidance for implementing secure Rails applications, covering authentication, authorization, and protection against common web vulnerabilities.
Generates design tokens/docs from CSS/Tailwind/styled-components codebases, audits visual consistency across 10 dimensions, detects AI slop in UI.
Records polished WebM UI demo videos of web apps using Playwright with cursor overlay, natural pacing, and three-phase scripting. Activates for demo, walkthrough, screen recording, or tutorial requests.
Delivers idiomatic Kotlin patterns for null safety, immutability, sealed classes, coroutines, Flows, extensions, DSL builders, and Gradle DSL. Use when writing, reviewing, refactoring, or designing Kotlin code.
Guidance for implementing secure Rails applications, covering authentication, authorization, and protection against common web vulnerabilities.
Always whitelist parameters — this is the first line of defense against mass assignment:
def user_params
params.require(:user).permit(:name, :email, :avatar)
end
# Never do this:
User.create(params[:user]) # Mass assignment vulnerability!
# Never permit sensitive attributes without authorization:
# BAD: params.require(:user).permit(:name, :email, :admin, :role)
# GOOD: Only permit :admin or :role after verifying the current user is authorized
Nested attributes:
def order_params
params.require(:order).permit(
:customer_name,
:total,
line_items_attributes: [:id, :product_id, :quantity, :_destroy]
)
end
Force SSL in production — this is non-negotiable:
# config/environments/production.rb
config.force_ssl = true
| Vulnerability | Prevention |
|---|---|
| SQL Injection | Use parameterized queries |
| XSS | Don't use raw or html_safe on user input |
| CSRF | Keep protect_from_forgery enabled |
| Mass Assignment | Use strong parameters |
| Session Hijacking | Secure, httponly, same_site cookies |
| Broken Auth | Use Devise with secure settings |
| Broken Access | Implement Pundit or CanCanCan |
Run these tools regularly and in CI:
bundle exec brakeman --no-pager # Static analysis
bundle exec bundler-audit check --update # Gem CVE check
master.key not in VCSconfig.force_ssl = true in productionverify_authorized)For detailed patterns and code examples, consult:
references/owasp-rails.md — OWASP Top 10 mapped to Rails: SQL injection, XSS, CSRF, broken auth, and access control patterns with Devise and Punditreferences/auth-patterns.md — Authentication deep-dive: password security, session hardening, password reset flows, and secrets management with Rails credentialsreferences/hardening.md — Application hardening: HTTP security headers, file upload security, rate limiting with Rack::Attack, logging security, scanning tools, and deployment checklist