Rails Security Review

Use this skill when the task is to review or harden Rails code from a security perspective.

Core principle: Prioritize exploitable issues over style. Assume any untrusted input can be abused.

HARD-GATE: Authorization Findings Lead the Report

BEFORE returning your security review, verify:
  1. The FIRST finding section in your output is "Authentication & Authorization"
  2. SQL injection, XSS, or other findings come AFTER auth/authz — even if
     they feel more severe or were discovered first
  3. If no auth/authz issue exists, the report still opens with an explicit
     "Authentication & Authorization: no issues found" line BEFORE any other
     finding category

Quick Reference