Strong Parameters
Safe params.
The Mass Assignment Problem
Forms send many fields at once. If you blindly pass all of them to a model, an attacker could add fields you never intended, like setting admin: true. This is the mass assignment vulnerability.
- User input is never trusted.
- You must whitelist allowed fields.
- Rails enforces this with strong parameters.
What Are Strong Parameters?
Strong parameters require you to explicitly declare which params a model may accept. Rails raises an error if you try to mass-assign params that were not permitted.
This turns a silent security hole into an opt-in, reviewed list of fields.
All lessons in this course
- Routes and Resources
- Controllers and Actions
- Strong Parameters
- Views and Rendering