aboutsummaryrefslogtreecommitdiffstats
path: root/guides
diff options
context:
space:
mode:
Diffstat (limited to 'guides')
-rw-r--r--guides/source/5_2_release_notes.md220
-rw-r--r--guides/source/action_controller_overview.md2
-rw-r--r--guides/source/action_mailer_basics.md28
-rw-r--r--guides/source/active_storage_overview.md7
-rw-r--r--guides/source/caching_with_rails.md48
-rw-r--r--guides/source/configuring.md8
-rw-r--r--guides/source/security.md106
7 files changed, 174 insertions, 245 deletions
diff --git a/guides/source/5_2_release_notes.md b/guides/source/5_2_release_notes.md
index 3c36ba5f7a..541c025fac 100644
--- a/guides/source/5_2_release_notes.md
+++ b/guides/source/5_2_release_notes.md
@@ -85,69 +85,9 @@ Rails 5.2 ships with a new DSL that allows you to configure a
for your application. You can configure a global default policy and then
override it on a per-resource basis and even use lambdas to inject per-request
values into the header such as account subdomains in a multi-tenant application.
-
-Example global policy:
-
-```ruby
-# config/initializers/content_security_policy.rb
-Rails.application.config.content_security_policy do |policy|
- policy.default_src :self, :https
- policy.font_src :self, :https, :data
- policy.img_src :self, :https, :data
- policy.object_src :none
- policy.script_src :self, :https
- policy.style_src :self, :https
-
- # Specify URI for violation reports
- policy.report_uri "/csp-violation-report-endpoint"
-end
-```
-
-Example controller overrides:
-
-```ruby
-# Override policy inline
-class PostsController < ApplicationController
- content_security_policy do |p|
- p.upgrade_insecure_requests true
- end
-end
-
-# Using literal values
-class PostsController < ApplicationController
- content_security_policy do |p|
- p.base_uri "https://www.example.com"
- end
-end
-
-# Using mixed static and dynamic values
-class PostsController < ApplicationController
- content_security_policy do |p|
- p.base_uri :self, -> { "https://#{current_user.domain}.example.com" }
- end
-end
-
-# Disabling the global CSP
-class LegacyPagesController < ApplicationController
- content_security_policy false, only: :index
-end
-```
-
-To report only content violations for migrating
-legacy content using the `content_security_policy_report_only`
-configuration attribute:
-
-```ruby
-# config/initializers/content_security_policy.rb
-Rails.application.config.content_security_policy_report_only = true
-```
-
-```ruby
-# Controller override
-class PostsController < ApplicationController
- content_security_policy_report_only only: :index
-end
-```
+You can read more about this in the
+[Securing Rails Applications](security.html#content-security-policy)
+guide.
Railties
--------
@@ -172,26 +112,16 @@ Please refer to the [Changelog][railties] for detailed changes.
### Notable changes
-* Namespace error pages' CSS selectors to stop the styles from bleeding
- into other pages when using Turbolinks.
- ([Pull Request](https://github.com/rails/rails/pull/28814))
-
* Added a shared section to `config/database.yml` that will be loaded for
all environments.
([Pull Request](https://github.com/rails/rails/pull/28896))
-* Allow irb options to be passed from `rails console` command.
- ([Pull Request](https://github.com/rails/rails/pull/29010))
-
* Add `railtie.rb` to the plugin generator.
([Pull Request](https://github.com/rails/rails/pull/29576))
* Clear screenshot files in `tmp:clear` task.
([Pull Request](https://github.com/rails/rails/pull/29534))
-* Load environment file in `dbconsole` command.
- ([Pull Request](https://github.com/rails/rails/pull/29725))
-
* Skip unused components when running `bin/rails app:update`.
If the initial app generation skipped Action Cable, Active Record etc.,
the update task honors those skips too.
@@ -246,19 +176,11 @@ Please refer to the [Changelog][railties] for detailed changes.
* Add `mini_magick` to default `Gemfile` as comment.
([Pull Request](https://github.com/rails/rails/pull/30633))
-* Gemfile for new apps: upgrade redis-rb from ~> 3.0 to 4.0.
- ([Pull Request](https://github.com/rails/rails/pull/30748))
-
* `rails new` and `rails plugin new` get `Active Storage` by default.
Add ability to skip `Active Storage` with `--skip-active-storage`
and do so automatically when `--skip-active-record` is used.
([Pull Request](https://github.com/rails/rails/pull/30101))
-* Fix minitest rails plugin.
- The custom reporters are added only if needed.
- This will fix conflicts with others plugins.
- ([Commit](https://github.com/rails/rails/commit/ac99916fcf7bf27bb1519d4f7387c6b4c5f0463d))
-
Action Cable
------------
@@ -277,9 +199,6 @@ Please refer to the [Changelog][action-cable] for detailed changes.
* Hash long stream identifiers when using PostgreSQL adapter.
([Pull Request](https://github.com/rails/rails/pull/29297))
-* Add support for compatibility with redis-rb gem for 4.0 version.
- ([Pull Request](https://github.com/rails/rails/pull/30748))
-
Action Pack
-----------
@@ -298,10 +217,6 @@ Please refer to the [Changelog][action-pack] for detailed changes.
### Notable changes
-* Add `action_controller_api` and `action_controller_base` load hooks to be
- called in `ActiveSupport.on_load`.
- ([Pull Request](https://github.com/rails/rails/pull/28402))
-
* Add support for recyclable cache keys with fragment caching.
([Pull Request](https://github.com/rails/rails/pull/29092))
@@ -312,18 +227,9 @@ Please refer to the [Changelog][action-pack] for detailed changes.
* AEAD encrypted cookies and sessions with GCM.
([Pull Request](https://github.com/rails/rails/pull/28132))
-* `driven_by` now registers poltergeist and capybara-webkit.
- ([Pull Request](https://github.com/rails/rails/pull/29315))
-
-* Fallback `ActionController::Parameters#to_s` to `Hash#to_s`.
- ([Pull Request](https://github.com/rails/rails/pull/29630))
-
* Protect from forgery by default.
([Pull Request](https://github.com/rails/rails/pull/29742))
-* Make `take_failed_screenshot` work within engine.
- ([Pull Request](https://github.com/rails/rails/pull/30421))
-
* Enforce signed/encrypted cookie expiry server side.
([Pull Request](https://github.com/rails/rails/pull/30121))
@@ -353,9 +259,6 @@ Please refer to the [Changelog][action-pack] for detailed changes.
[Commit](https://github.com/rails/rails/commit/619b1b6353a65e1635d10b8f8c6630723a5a6f1a),
[Commit](https://github.com/rails/rails/commit/4ec8bf68ff92f35e79232fbd605012ce1f4e1e6e))
-* Fix optimized url helpers when using relative url root.
- ([Pull Request](https://github.com/rails/rails/pull/31261))
-
* Register most popular audio/video/font mime types supported by modern
browsers.
([Pull Request](https://github.com/rails/rails/pull/31251))
@@ -409,21 +312,10 @@ Please refer to the [Changelog][action-view] for detailed changes.
### Notable changes
-* Update `distance_of_time_in_words` helper to display better error messages
- for bad input.
- ([Pull Request](https://github.com/rails/rails/pull/20701))
-
* Add `:json` type to `auto_discovery_link_tag` to support
[JSON Feeds](https://jsonfeed.org/version/1).
([Pull Request](https://github.com/rails/rails/pull/29158))
-* Generate field ids in `collection_check_boxes` and
- `collection_radio_buttons`.
- ([Pull Request](https://github.com/rails/rails/pull/29412))
-
-* Fix issues with scopes and engine on `current_page?` method.
- ([Pull Request](https://github.com/rails/rails/pull/29503))
-
* Add `srcset` option to `image_tag` helper.
([Pull Request](https://github.com/rails/rails/pull/29349))
@@ -453,10 +345,6 @@ Please refer to the [Changelog][action-mailer] for detailed changes.
* Add `assert_enqueued_email_with` test helper.
([Pull Request](https://github.com/rails/rails/pull/30695))
-* Bring back proc with arity of 1 in `ActionMailer::Base.default` proc
- since it was supported in Rails 5.0 but not deprecated.
- ([Pull Request](https://github.com/rails/rails/pull/30391))
-
Active Record
-------------
@@ -546,9 +434,6 @@ Please refer to the [Changelog][active-record] for detailed changes.
when the current migration does not exist.
([Commit](https://github.com/rails/rails/commit/bb9d6eb094f29bb94ef1f26aa44f145f17b973fe))
-* Add type caster to `RuntimeReflection#alias_name`.
- ([Pull Request](https://github.com/rails/rails/pull/28961))
-
* Respect `SchemaDumper.ignore_tables` in rake tasks for
databases structure dump.
([Pull Request](https://github.com/rails/rails/pull/29077))
@@ -559,39 +444,16 @@ Please refer to the [Changelog][active-record] for detailed changes.
does not include a timestamp any more.
([Pull Request](https://github.com/rails/rails/pull/29092))
-* Loading model schema from database is now thread-safe.
- ([Pull Request](https://github.com/rails/rails/pull/29216))
-
* Prevent creation of bind param if casted value is nil.
([Pull Request](https://github.com/rails/rails/pull/29282))
* Use bulk INSERT to insert fixtures for better performance.
([Pull Request](https://github.com/rails/rails/pull/29504))
-* Fix destroying existing object does not work well when optimistic locking
- enabled and `locking_column` is null in the database.
- ([Pull Request](https://github.com/rails/rails/pull/28926))
-
-* `ActiveRecord::Persistence#touch` does not work well
- when optimistic locking enabled and `locking_column`,
- without default value, is null in the database.
- ([Pull Request](https://github.com/rails/rails/pull/28914))
-
* Merging two relations representing nested joins no longer transforms
the joins of the merged relation into LEFT OUTER JOIN.
([Pull Request](https://github.com/rails/rails/pull/27063))
-* Previously, when building records using a `has_many :through` association,
- if the child records were deleted before the parent was saved,
- they would still be persisted. Now, if child records are deleted
- before the parent is saved on a `has_many :through` association,
- the child records will not be persisted.
- ([Pull Request](https://github.com/rails/rails/pull/29593))
-
-* Query cache was unavailable when entering the `ActiveRecord::Base.cache`
- block without being connected.
- ([Pull Request](https://github.com/rails/rails/pull/29609))
-
* Fix transactions to apply state to child transactions.
Previously, if you had a nested transaction and the outer transaction was
rolledback, the record from the inner transaction would still be marked
@@ -617,26 +479,10 @@ Please refer to the [Changelog][active-record] for detailed changes.
recognize 't' and 'f' as was previously serialized.
([Pull Request](https://github.com/rails/rails/pull/29699))
-* `Relation#joins` is no longer affected by the target model's
- `current_scope`, with the exception of `unscoped`.
- ([Commit](https://github.com/rails/rails/commit/5c71000d086cc42516934415b79380c2224e1614))
-
* Values constructed using multi-parameter assignment will now use the
post-type-cast value for rendering in single-field form inputs.
([Commit](https://github.com/rails/rails/commit/1519e976b224871c7f7dd476351930d5d0d7faf6))
-* Fix `unscoped(where: [columns])` removing the wrong bind values.
- ([Pull Request](https://github.com/rails/rails/pull/29780))
-
-* When a `has_one` association is destroyed by `dependent: destroy`,
- `destroyed_by_association` will now be set to the reflection, matching the
- behaviour of `has_many` associations.
- ([Pull Request](https://github.com/rails/rails/pull/29855))
-
-* Fix `COUNT(DISTINCT ...)` with `ORDER BY` and `LIMIT`
- to keep the existing select list.
- ([Pull Request](https://github.com/rails/rails/pull/29848))
-
* `ApplicationRecord` is no longer generated when generating models. If you
need to generate it, it can be created with `rails g application_record`.
([Pull Request](https://github.com/rails/rails/pull/29916))
@@ -652,9 +498,6 @@ Please refer to the [Changelog][active-record] for detailed changes.
* Add `binary` fixture helper method.
([Pull Request](https://github.com/rails/rails/pull/30073))
-* Ensure `sum` honors `distinct` on `has_many :through` associations.
- ([Commit](https://github.com/rails/rails/commit/566f1fd068711dfe557bef63406f8dd6d41d473d))
-
* Automatically guess the inverse associations for STI.
([Pull Request](https://github.com/rails/rails/pull/23425))
@@ -676,19 +519,6 @@ Please refer to the [Changelog][active-record] for detailed changes.
* PostgreSQL `tsrange` now preserves subsecond precision.
([Pull Request](https://github.com/rails/rails/pull/30725))
-* Fix `COUNT(DISTINCT ...)` for `GROUP BY` with `ORDER BY` and `LIMIT`.
- ([Commit](https://github.com/rails/rails/commit/5668dc6b1863ef43be8f8ef0fb1d5db913085fb3))
-
-* MySQL: Don't lose `auto_increment: true` in the `db/schema.rb`.
- ([Commit](https://github.com/rails/rails/commit/9493d4553569118b2a85da84fd3a8ba2b5b2de76))
-
-* Fix longer sequence name detection for serial columns.
- ([Pull Request](https://github.com/rails/rails/pull/28339))
-
-* Fix `bin/rails db:setup` and `bin/rails db:test:prepare` create wrong
- ar_internal_metadata's data for a test database.
- ([Pull Request](https://github.com/rails/rails/pull/30579))
-
* Raises when calling `lock!` in a dirty record.
([Commit](https://github.com/rails/rails/commit/63cf15877bae859ff7b4ebaf05186f3ca79c1863))
@@ -732,9 +562,6 @@ Please refer to the [Changelog][active-record] for detailed changes.
* Add support for PostgreSQL operator classes to `add_index`.
([Pull Request](https://github.com/rails/rails/pull/19090))
-* Fix conflicts `counter_cache` with `touch: true` by optimistic locking.
- ([Pull Request](https://github.com/rails/rails/pull/31405))
-
* Log database query callers.
([Pull Request](https://github.com/rails/rails/pull/26815),
[Pull Request](https://github.com/rails/rails/pull/31519),
@@ -746,16 +573,6 @@ Please refer to the [Changelog][active-record] for detailed changes.
* Using subselect for `delete_all` with `limit` or `offset`.
([Commit](https://github.com/rails/rails/commit/9e7260da1bdc0770cf4ac547120c85ab93ff3d48))
-* Fix `count(:all)` to correctly work `distinct` with custom SELECT list.
- ([Commit](https://github.com/rails/rails/commit/c6cd9a59f200863ccfe8ad1d9c5a8876c39b9c5c))
-
-* Fix to invoke callbacks when using `update_attribute`.
- ([Commit](https://github.com/rails/rails/commit/732aa34b6e6459ad66a3d3ad107cfff75cc45160))
-
-* Use `count(:all)` in `HasManyAssociation#count_records` to prevent invalid
- SQL queries for association counting.
- ([Pull Request](https://github.com/rails/rails/pull/27561))
-
* Fixed inconsistency with `first(n)` when used with `limit()`.
The `first(n)` finder now respects the `limit()`, making it consistent
with `relation.to_a.first(n)`, and also with the behavior of `last(n)`.
@@ -779,17 +596,10 @@ Please refer to the [Changelog][active-record] for detailed changes.
* Clear the transaction state when an Active Record object is duped.
([Pull Request](https://github.com/rails/rails/pull/31751))
-* Fix `count(:all)` with eager loading and having an order other than
- the driving table.
- ([Commit](https://github.com/rails/rails/commit/ebc09ed9ad9a04338138739226a1a92c7a2707ee))
-
* Fix not expanded problem when passing an Array object as argument
to the where method using `composed_of` column.
([Pull Request](https://github.com/rails/rails/pull/31724))
-* PostgreSQL: Allow pg-1.0 gem to be used with Active Record.
- ([Pull Request](https://github.com/rails/rails/pull/31671))
-
* Make `reflection.klass` raise if `polymorphic?` not to be misused.
([Commit](https://github.com/rails/rails/commit/63fc1100ce054e3e11c04a547cdb9387cd79571a))
@@ -798,10 +608,6 @@ Please refer to the [Changelog][active-record] for detailed changes.
even if `ORDER BY` columns include other table's primary key.
([Commit](https://github.com/rails/rails/commit/851618c15750979a75635530200665b543561a44))
-* Fix that after commit callbacks on update does not triggered
- when optimistic locking is enabled.
- ([Commit](https://github.com/rails/rails/commit/7f9bd034c485c2425ae0164ff5d6374834e3aa1d))
-
* Fix `dependent: :destroy` issue for has_one/belongs_to relationship where
the parent class was getting deleted when the child was not.
([Commit](https://github.com/rails/rails/commit/b0fc04aa3af338d5a90608bf37248668d59fc881))
@@ -818,10 +624,6 @@ Please refer to the [Changelog][active-model] for detailed changes.
Change `#values` to only return the not empty values.
([Pull Request](https://github.com/rails/rails/pull/28584))
-* Fix regression in numericality validator when comparing Decimal and Float
- input values with more scale than the schema.
- ([Pull Request](https://github.com/rails/rails/pull/28584))
-
* Add method `#merge!` for `ActiveModel::Errors`.
([Pull Request](https://github.com/rails/rails/pull/29714))
@@ -832,9 +634,6 @@ Please refer to the [Changelog][active-model] for detailed changes.
is `false`.
([Pull Request](https://github.com/rails/rails/pull/31058))
-* Fix to working before/after validation callbacks on multiple contexts.
- ([Pull Request](https://github.com/rails/rails/pull/31483))
-
* Models using the attributes API with a proc default can now be marshalled.
([Commit](https://github.com/rails/rails/commit/0af36c62a5710e023402e37b019ad9982e69de4b))
@@ -883,10 +682,6 @@ Please refer to the [Changelog][active-support] for detailed changes.
in Active Record and its use in Action Pack's fragment caching.
([Pull Request](https://github.com/rails/rails/pull/29092))
-* Fix implicit coercion calculations with scalars and durations.
- ([Pull Request](https://github.com/rails/rails/pull/29163),
- [Pull Request](https://github.com/rails/rails/pull/29971))
-
* Add `ActiveSupport::CurrentAttributes` to provide a thread-isolated
attributes singleton. Primary use case is keeping all the per-request
attributes easily available to the whole system.
@@ -923,9 +718,6 @@ Please refer to the [Changelog][active-support] for detailed changes.
`ActiveSupport::MessageEncryptor`.
([Pull Request](https://github.com/rails/rails/pull/29892))
-* Fix modulo operations involving durations.
- ([Commit](https://github.com/rails/rails/commit/a54e13bd2e8fb4d6aa0aebe59271699a2d62567b))
-
* Update `String#camelize` to provide feedback when wrong option is passed.
([Pull Request](https://github.com/rails/rails/pull/30039))
@@ -1016,9 +808,6 @@ Please refer to the [Changelog][active-support] for detailed changes.
This allows to specify multiple numeric differences in the same assertion.
([Pull Request](https://github.com/rails/rails/pull/31600))
-* Return all mappings for a timezone identifier in `country_zones`.
- ([Commit](https://github.com/rails/rails/commit/cdce6a709e1cbc98fff009effc3b1b3ce4c7e8db))
-
* Caching: MemCache and Redis `read_multi` and `fetch_multi` speedup.
Read from the local in-memory cache before consulting the backend.
([Commit](https://github.com/rails/rails/commit/a2b97e4ffef971607a1be8fc7909f099b6840f36))
@@ -1030,9 +819,6 @@ Please refer to the [Changelog][active-job] for detailed changes.
### Notable changes
-* Add support for compatibility with redis-rb gem for 4.0 version.
- ([Pull Request](https://github.com/rails/rails/pull/30748))
-
* Allow block to be passed to `ActiveJob::Base.discard_on` to allow custom
handling of discard jobs.
([Pull Request](https://github.com/rails/rails/pull/30622))
diff --git a/guides/source/action_controller_overview.md b/guides/source/action_controller_overview.md
index eadd517f07..5b421756e8 100644
--- a/guides/source/action_controller_overview.md
+++ b/guides/source/action_controller_overview.md
@@ -51,7 +51,7 @@ class ClientsController < ApplicationController
end
```
-As an example, if a user goes to `/clients/new` in your application to add a new client, Rails will create an instance of `ClientsController` and call its `new` method. Note that the empty method from the example above would work just fine because Rails will by default render the `new.html.erb` view unless the action says otherwise. The `new` method could make available to the view a `@client` instance variable by creating a new `Client`:
+As an example, if a user goes to `/clients/new` in your application to add a new client, Rails will create an instance of `ClientsController` and call its `new` method. Note that the empty method from the example above would work just fine because Rails will by default render the `new.html.erb` view unless the action says otherwise. By creating a new `Client`, the `new` method can make a `@client` instance variable accessible in the view:
```ruby
def new
diff --git a/guides/source/action_mailer_basics.md b/guides/source/action_mailer_basics.md
index 9f239da90f..662f9ea38a 100644
--- a/guides/source/action_mailer_basics.md
+++ b/guides/source/action_mailer_basics.md
@@ -20,9 +20,18 @@ Introduction
------------
Action Mailer allows you to send emails from your application using mailer classes
-and views. Mailers work very similarly to controllers. They inherit from
-`ActionMailer::Base` and live in `app/mailers`, and they have associated views
-that appear in `app/views`.
+and views.
+
+#### Mailers are similar to controllers
+
+They inherit from `ActionMailer::Base` and live in `app/mailers`. Mailers also work
+very similarly to controllers. Some examples of similarities are enumerated below.
+Mailers have:
+
+* Actions, and also, associated views that appear in `app/views`.
+* Instance variables that are accessible in views.
+* The ability to utilise layouts and partials.
+* The ability to access a params hash.
Sending Emails
--------------
@@ -60,8 +69,7 @@ end
```
As you can see, you can generate mailers just like you use other generators with
-Rails. Mailers are conceptually similar to controllers, and so we get a mailer,
-a directory for views, and a test.
+Rails.
If you didn't want to use a generator, you could create your own file inside of
`app/mailers`, just make sure that it inherits from `ActionMailer::Base`:
@@ -73,10 +81,9 @@ end
#### Edit the Mailer
-Mailers are very similar to Rails controllers. They also have methods called
-"actions" and use views to structure the content. Where a controller generates
-content like HTML to send back to the client, a Mailer creates a message to be
-delivered via email.
+Mailers have methods called "actions" and they use views to structure their content.
+Where a controller generates content like HTML to send back to the client, a Mailer
+creates a message to be delivered via email.
`app/mailers/user_mailer.rb` contains an empty mailer:
@@ -110,9 +117,6 @@ messages in this class. This can be overridden on a per-email basis.
* `mail` - The actual email message, we are passing the `:to` and `:subject`
headers in.
-Just like controllers, any instance variables we define in the method become
-available for use in the views.
-
#### Create a Mailer View
Create a file called `welcome_email.html.erb` in `app/views/user_mailer/`. This
diff --git a/guides/source/active_storage_overview.md b/guides/source/active_storage_overview.md
index 831a02a9a1..d67f65e88a 100644
--- a/guides/source/active_storage_overview.md
+++ b/guides/source/active_storage_overview.md
@@ -114,6 +114,13 @@ gem "aws-sdk-s3", require: false
NOTE: The core features of Active Storage require the following permissions: `s3:ListBucket`, `s3:PutObject`, `s3:GetObject`, and `s3:DeleteObject`. If you have additional upload options configured such as setting ACLs then additional permissions may be required.
+NOTE: If you want to use environment variables, standard SDK configuration files, profiles,
+IAM instance profiles or task roles, you can omit the `access_key_id`, `secret_access_key`,
+and `region` keys in the example above. The Amazon S3 Service supports all of the
+authentication options described in the [AWS SDK documentation]
+(https://docs.aws.amazon.com/sdk-for-ruby/v3/developer-guide/setup-config.html).
+
+
### Microsoft Azure Storage Service
Declare an Azure Storage service in `config/storage.yml`:
diff --git a/guides/source/caching_with_rails.md b/guides/source/caching_with_rails.md
index 5dde6f34fa..3f357b532b 100644
--- a/guides/source/caching_with_rails.md
+++ b/guides/source/caching_with_rails.md
@@ -446,30 +446,28 @@ config.cache_store = :mem_cache_store, "cache-1.example.com", "cache-2.example.c
### ActiveSupport::Cache::RedisCacheStore
-The Redis cache store takes advantage of Redis support for least-recently-used
-and least-frequently-used key eviction when it reaches max memory, allowing it
-to behave much like a Memcached cache server.
+The Redis cache store takes advantage of Redis support for automatic eviction
+when it reaches max memory, allowing it to behave much like a Memcached cache server.
Deployment note: Redis doesn't expire keys by default, so take care to use a
dedicated Redis cache server. Don't fill up your persistent-Redis server with
volatile cache data! Read the
[Redis cache server setup guide](https://redis.io/topics/lru-cache) in detail.
-For an all-cache Redis server, set `maxmemory-policy` to an `allkeys` policy.
-Redis 4+ support least-frequently-used (`allkeys-lfu`) eviction, an excellent
-default choice. Redis 3 and earlier should use `allkeys-lru` for
-least-recently-used eviction.
+For a cache-only Redis server, set `maxmemory-policy` to one of the variants of allkeys.
+Redis 4+ supports least-frequently-used eviction (`allkeys-lfu`), an excellent
+default choice. Redis 3 and earlier should use least-recently-used eviction (`allkeys-lru`).
Set cache read and write timeouts relatively low. Regenerating a cached value
is often faster than waiting more than a second to retrieve it. Both read and
write timeouts default to 1 second, but may be set lower if your network is
-consistently low latency.
+consistently low-latency.
By default, the cache store will not attempt to reconnect to Redis if the
connection fails during a request. If you experience frequent disconnects you
may wish to enable reconnect attempts.
-Cache reads and writes never raise exceptions. They just return `nil` instead,
+Cache reads and writes never raise exceptions; they just return `nil` instead,
behaving as if there was nothing in the cache. To gauge whether your cache is
hitting exceptions, you may provide an `error_handler` to report to an
exception gathering service. It must accept three keyword arguments: `method`,
@@ -477,12 +475,33 @@ the cache store method that was originally called; `returning`, the value that
was returned to the user, typically `nil`; and `exception`, the exception that
was rescued.
-Putting it all together, a production Redis cache store may look something
-like this:
+To get started, add the redis gem to your Gemfile:
```ruby
-cache_servers = %w[ "redis://cache-01:6379/0", "redis://cache-02:6379/0", … ],
-config.cache_store = :redis_cache_store, url: cache_servers,
+gem 'redis'
+```
+
+You can enable support for the faster [hiredis](https://github.com/redis/hiredis)
+connection library by additionally adding its ruby wrapper to your Gemfile:
+
+```ruby
+gem 'hiredis'
+```
+
+Redis cache store will automatically require & use hiredis if available. No further
+configuration is needed.
+
+Finally, add the configuration in the relevant `config/environments/*.rb` file:
+
+```ruby
+config.cache_store = :redis_cache_store, { url: ENV['REDIS_URL'] }
+```
+
+A more complex, production Redis cache store may look something like this:
+
+```ruby
+cache_servers = %w(redis://cache-01:6379/0 redis://cache-02:6379/0)
+config.cache_store = :redis_cache_store, { url: cache_servers,
connect_timeout: 30, # Defaults to 20 seconds
read_timeout: 0.2, # Defaults to 1 second
@@ -491,9 +510,10 @@ config.cache_store = :redis_cache_store, url: cache_servers,
error_handler: -> (method:, returning:, exception:) {
# Report errors to Sentry as warnings
- Raven.capture_exception exception, level: 'warning",
+ Raven.capture_exception exception, level: 'warning',
tags: { method: method, returning: returning }
}
+}
```
### ActiveSupport::Cache::NullStore
diff --git a/guides/source/configuring.md b/guides/source/configuring.md
index 368b74f708..8bdba4b3de 100644
--- a/guides/source/configuring.md
+++ b/guides/source/configuring.md
@@ -400,10 +400,16 @@ by adding the following to your `application.rb` file:
Rails.application.config.active_record.sqlite3.represent_boolean_as_integer = true
```
-The schema dumper adds one additional configuration option:
+The schema dumper adds two additional configuration options:
* `ActiveRecord::SchemaDumper.ignore_tables` accepts an array of tables that should _not_ be included in any generated schema file.
+* `ActiveRecord::SchemaDumper.fk_ignore_pattern` allows setting a different regular
+ expression that will be used to decide whether a foreign key's name should be
+ dumped to db/schema.rb or not. By default, foreign key names starting with
+ `fk_rails_` are not exported to the database schema dump.
+ Defaults to `/^fk_rails_[0-9a-f]{10}$/`.
+
### Configuring Action Controller
`config.action_controller` includes a number of configuration settings:
diff --git a/guides/source/security.md b/guides/source/security.md
index 4cf6c06f2d..b419f7b48d 100644
--- a/guides/source/security.md
+++ b/guides/source/security.md
@@ -1089,6 +1089,112 @@ Here is a list of common headers:
* **Access-Control-Allow-Origin:** Used to control which sites are allowed to bypass same origin policies and send cross-origin requests.
* **Strict-Transport-Security:** [Used to control if the browser is allowed to only access a site over a secure connection](https://en.wikipedia.org/wiki/HTTP_Strict_Transport_Security)
+### Content Security Policy
+
+Rails provides a DSL that allows you to configure a
+[Content Security Policy](https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/Content-Security-Policy)
+for your application. You can configure a global default policy and then
+override it on a per-resource basis and even use lambdas to inject per-request
+values into the header such as account subdomains in a multi-tenant application.
+
+Example global policy:
+
+```ruby
+# config/initializers/content_security_policy.rb
+Rails.application.config.content_security_policy do |policy|
+ policy.default_src :self, :https
+ policy.font_src :self, :https, :data
+ policy.img_src :self, :https, :data
+ policy.object_src :none
+ policy.script_src :self, :https
+ policy.style_src :self, :https
+
+ # Specify URI for violation reports
+ policy.report_uri "/csp-violation-report-endpoint"
+end
+```
+
+Example controller overrides:
+
+```ruby
+# Override policy inline
+class PostsController < ApplicationController
+ content_security_policy do |p|
+ p.upgrade_insecure_requests true
+ end
+end
+
+# Using literal values
+class PostsController < ApplicationController
+ content_security_policy do |p|
+ p.base_uri "https://www.example.com"
+ end
+end
+
+# Using mixed static and dynamic values
+class PostsController < ApplicationController
+ content_security_policy do |p|
+ p.base_uri :self, -> { "https://#{current_user.domain}.example.com" }
+ end
+end
+
+# Disabling the global CSP
+class LegacyPagesController < ApplicationController
+ content_security_policy false, only: :index
+end
+```
+
+Use the `content_security_policy_report_only`
+configuration attribute to set
+[Content-Security-Policy-Report-Only](https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/Content-Security-Policy-Report-Only)
+in order to report only content violations for migrating
+legacy content
+
+```ruby
+# config/initializers/content_security_policy.rb
+Rails.application.config.content_security_policy_report_only = true
+```
+
+```ruby
+# Controller override
+class PostsController < ApplicationController
+ content_security_policy_report_only only: :index
+end
+```
+
+You can enable automatic nonce generation:
+
+```ruby
+# config/initializers/content_security_policy.rb
+Rails.application.config.content_security_policy do |policy|
+ policy.script_src :self, :https
+end
+
+Rails.application.config.content_security_policy_nonce_generator = -> request { SecureRandom.base64(16) }
+```
+
+Then you can add an automatic nonce value by passing `nonce: true`
+as part of `html_options`. Example:
+
+```html+erb
+<%= javascript_tag nonce: true do -%>
+ alert('Hello, World!');
+<% end -%>
+```
+
+Use [`csp_meta_tag`](http://api.rubyonrails.org/classes/ActionView/Helpers/CspHelper.html#method-i-csp_meta_tag)
+helper to create a meta tag "csp-nonce" with the per-session nonce value
+for allowing inline `<script>` tags.
+
+```html+erb
+<head>
+ <%= csp_meta_tag %>
+</head>
+```
+
+This is used by the Rails UJS helper to create dynamically
+loaded inline `<script>` elements.
+
Environmental Security
----------------------
generated by cgit v1.2.3 (git 2.25.1) at 2024-09-06 10:19:35 +0000