Rails Security
CSRF protection, SQL injection, XSS, mass assignment, secrets management, HTTPS
1What mechanism does Rails use by default to protect against CSRF attacks?
What mechanism does Rails use by default to protect against CSRF attacks?
Answer
Rails generates a unique CSRF token per session and automatically includes it in forms via a hidden field. This token is verified server-side for every non-GET request. The form_with helper automatically inserts this token, and protect_from_forgery is enabled by default in ApplicationController.
2How to disable CSRF protection for a specific action in an API controller?
How to disable CSRF protection for a specific action in an API controller?
Answer
The skip_before_action :verify_authenticity_token method disables CSRF verification for specific actions. This is common for APIs using token-based authentication (JWT, API key) rather than sessions. It's recommended to limit this exception to strictly necessary actions using the only option.
3What vulnerability is exploited in this code: User.where("name = '#{params[:name]}'")?
What vulnerability is exploited in this code: User.where("name = '#{params[:name]}'")?
Answer
Direct params interpolation in a SQL query allows SQL injection. An attacker can send name="'; DROP TABLE users; --" to execute arbitrary SQL code. Use ActiveRecord placeholders instead: User.where(name: params[:name]) or User.where("name = ?", params[:name]).
Which ActiveRecord method automatically protects against SQL injection?
How does Rails automatically protect against XSS attacks in ERB views?
+19 interview questions
Other Ruby on Rails interview topics
Ruby Basics
Ruby Object-Oriented Programming
Rails Fundamentals
Routing & Controllers
ActiveRecord Basics
Views & ERB Templates
ActiveRecord Associations
Advanced ActiveRecord Queries
Rails Forms
Authentication & Authorization
Modern Asset Pipeline & Frontend
Rails API Mode
Testing with RSpec
ActiveJob & Background Jobs
ActionCable & WebSockets
ActionMailer
ActiveStorage
Caching Strategies
Advanced Migrations
Rails Engines & Modular Apps
Performance Optimization
Rails Design Patterns
Ruby Metaprogramming
GraphQL with Rails
Deployment & Production
Monitoring & Logging
Rails Upgrade Strategies
Master Ruby on Rails for your next interview
Access all questions, flashcards, technical tests, code review exercises and interview simulators.
Start for free