Rails 8 + Postgres + Render security playbook

Updated Apr 24, 2026

The classic Rails stack with Hotwire's modern UX. Security questions are familiar: middleware ordering, Strong Parameters scope, Action Cable channel authorization.

What breaks on this stack

Action Cable channel without identified_by

ApplicationCable::Connection without identified_by + authenticate_user! lets unauthenticated users join channels.

Read the guide →

params bypassing Strong Parameters

Direct params[:user][:role] bypasses .require + .permit.

Read the guide →

BOLA on resource controllers

show action calling Order.find(params[:id]) without per-user scope.

Read the guide →

Render Postgres connection bouncer

Default Render Postgres has no PgBouncer; high-traffic apps hit max_connections fast.

Read the guide →

Pre-ship checklist

before_action :authenticate_user! on every protected controller
params.require(:model).permit(:fields) — never bypass
@orders = current_user.orders.find(params[:id])
Action Cable identified_by :current_user
Render PgBouncer or pgcat configured
Hotwire Turbo Stream broadcasts scoped per user

Starter config

# app/channels/application_cable/connection.rb
module ApplicationCable
  class Connection < ActionCable::Connection::Base
    identified_by :current_user
    def connect
      self.current_user = find_verified_user
    end
    private
    def find_verified_user
      User.find_by(id: cookies.encrypted[:user_id]) || reject_unauthorized_connection
    end
  end
end