This is a collection of historical Ruby on Rails security features, originally based on the talk “The Evolution of Rails Security” by Justin Collins presented at RailsConf 2018.

January 2007 - Rails 1.2

Parameter Log Filtering

August 2010 - Rails 3.0

Auto-Escaping HTML in Templates

August 2011 - Rails 3.1

has_secure_password

config.force_ssl

June 2013 - Rails 4.0

Strong Parameters

Encrypted Session Cookies

Default Headers

June 2016 - Rails 5.0

Per-Form CSRF Tokens

February 2018 - Rails 5.1

Encrypted Secrets

April 2018 - Rails 5.2

Encrypted Credentials

More Default Headers

Content Security Policy

Rails 6.0

Host Header Filtering

Purpose Metadata for Encrypted Cookies

Sensitive Parameter Filtering