Rails is one of the most secure framework by default for a long time, but still there is always room for improvement, and the lates version brings a few nice improvements.
Change default X-XSS-Protection header
This header has been deprecated and the XSS auditor should be disabled in older browsers, because it can introduce additional security issues.
Support for a CSP policy with trusted-types
Now you can use this experimental CSP policy to control the data passed to DOM XSS sink functions like
Element.innerHTML and lower the attack surface for an XSS.
Raise on redirect_to open redirects
Rails 7 has a new option to raise an exception if redirect_to is called with an untrusted URL. To enable it, set:
ActionController::Base.raise_on_open_redirects = true
Tag helpers XSS protection
ERB::Util are by default escaping now the tag names and the tag attribute in the tag helpers. This is another nice improvement to lower the chance of an XSS vulnerability.
Sensitive attributes filtering from logs
Previously the SQL queries in the logs may have contained passwords and other sensitive information, but from Rails 7, attributes configured at
ActiveRecord::Base.filter_attributes are filtered out from the logs
Now you can configure your models attributes to be encrypted and Rails will encrypt them before saving it to the database and decrypt it on retrieval.