๐ซ
Strong Parameters
Preventing Mass Assignment attacks
Strong Parameters is a Rails security feature that prevents Mass Assignment attacks.
What is a Mass Assignment attack?
# Malicious user sneaks in admin=true
POST /users { user: { name: "Hacker", email: "...", admin: true } }
Defense:
def user_params
params.require(:user).permit(:name, :email, :password)
# admin field not in permit โ auto-ignored!
end
def create
@user = User.new(user_params) # safe
# @user = User.new(params[:user]) # dangerous! (pre-Rails 4 style)
end
Nested parameters:
params.require(:post).permit(
:title, :content,
tags: [], # array
comments_attributes: [:id, :body] # nested model
)
Different allowed fields per role:
def user_params
if current_user.admin?
params.require(:user).permit(:name, :email, :role, :admin)
else
params.require(:user).permit(:name, :email)
end
end
Key Points
1
params.require(:model) โ validate required parameter key
2
.permit(:field1, :field2) โ whitelist allowed fields
3
Non-permitted fields are auto-filtered (ignored)
4
Safely create with Model.create(permitted_params)
5
Nested: permit(tags: [], address: [:city, :zip])
6
Role-based branching for different allowed fields (admin/regular)
Pros
- ✓ Fundamentally blocks Mass Assignment attacks
- ✓ Allowed fields explicit in code
- ✓ Managed in Controller โ no security logic needed in Model
- ✓ Supports nested/array parameters
Cons
- ✗ Easy to forget updating permit when adding new fields
- ✗ Tricky configuration for complex nested structures
- ✗ Hard to debug if unaware of non-permitted field silencing
Use Cases
Processing all form data
API request parameter filtering
Role-based permission separation
Nested form data processing