Use when implementing authentication, authorization, or hardening a Rails application against vulnerabilities. Also applies before deployment to verify security posture, or when reviewing code for mass assignment, XSS, SQL injection, or CSRF risks. Covers strong parameters, Devise, Pundit, security scanning, and deployment checklists.
Generates secure Rails code and deployment checklists for authentication, authorization, and vulnerability hardening.
npx claudepluginhub chaserx/cpcThis skill inherits all available tools. When active, it can use any tool Claude has access to.
references/auth-patterns.mdreferences/hardening.mdreferences/owasp-rails.mdGuidance for implementing secure Rails applications, covering authentication, authorization, and protection against common web vulnerabilities.
Always whitelist parameters — this is the first line of defense against mass assignment:
def user_params
params.require(:user).permit(:name, :email, :avatar)
end
# Never do this:
User.create(params[:user]) # Mass assignment vulnerability!
# Never permit sensitive attributes without authorization:
# BAD: params.require(:user).permit(:name, :email, :admin, :role)
# GOOD: Only permit :admin or :role after verifying the current user is authorized
Nested attributes:
def order_params
params.require(:order).permit(
:customer_name,
:total,
line_items_attributes: [:id, :product_id, :quantity, :_destroy]
)
end
Force SSL in production — this is non-negotiable:
# config/environments/production.rb
config.force_ssl = true
| Vulnerability | Prevention |
|---|---|
| SQL Injection | Use parameterized queries |
| XSS | Don't use raw or html_safe on user input |
| CSRF | Keep protect_from_forgery enabled |
| Mass Assignment | Use strong parameters |
| Session Hijacking | Secure, httponly, same_site cookies |
| Broken Auth | Use Devise with secure settings |
| Broken Access | Implement Pundit or CanCanCan |
Run these tools regularly and in CI:
bundle exec brakeman --no-pager # Static analysis
bundle exec bundler-audit check --update # Gem CVE check
master.key not in VCSconfig.force_ssl = true in productionverify_authorized)For detailed patterns and code examples, consult:
references/owasp-rails.md — OWASP Top 10 mapped to Rails: SQL injection, XSS, CSRF, broken auth, and access control patterns with Devise and Punditreferences/auth-patterns.md — Authentication deep-dive: password security, session hardening, password reset flows, and secrets management with Rails credentialsreferences/hardening.md — Application hardening: HTTP security headers, file upload security, rate limiting with Rack::Attack, logging security, scanning tools, and deployment checklistActivates when the user asks about AI prompts, needs prompt templates, wants to search for prompts, or mentions prompts.chat. Use for discovering, retrieving, and improving prompts.
Search, retrieve, and install Agent Skills from the prompts.chat registry using MCP tools. Use when the user asks to find skills, browse skill catalogs, install a skill for Claude, or extend Claude's capabilities with reusable AI agent components.
Creating algorithmic art using p5.js with seeded randomness and interactive parameter exploration. Use this when users request creating art using code, generative art, algorithmic art, flow fields, or particle systems. Create original algorithmic art rather than copying existing artists' work to avoid copyright violations.