RubyFlow The Ruby and Rails community linklog


The Ruby and Rails community linklog

Made a library? Written a blog post? Found a useful tutorial? Share it with the Ruby community here or just enjoy what everyone else has found!

Active Params

Stop manually defining strong_parameters in each and every controller.

Whatever parameters that was used during development mode is considered permitted parameters for production. So automatically record them in development mode and simply apply strong_parameters in production.


This seems like a really bad idea. The whole point of strong_parameters is explicitly define which parameters you deem safe for your application to process.

Now you’ve tied that behavior to the development process, which seems… weird. You now have to develop a certain way or put your application’s security at risk.

Agree with Ben here. What would be the benefit of defining strong params outside of code? What’s a good use case for this? Genuinely curious here.

I thought this was actually providing macros in the controller, which would be ok, but defining them all in a separate file seems to be an extra unneeded context switching.

For an alternate take on securing parameters see

Is this really that big of a problem to begin with? Not in my experience, at least…

Post a comment

You can use basic HTML markup (e.g. <a>) or Markdown.

As you are not logged in, you will be
directed via GitHub to signup or sign in