Unfortunately, it brings a lot of challenges. Experts on X telling you you’re being left behind if you’re not running 10 sessions at once. Code quality dropping to the ground. Constant exhaustion from context switching. It’s a clear path to burnout. I’ve seen it myself - on me and on my team.

But it doesn’t have to be this way. Over the last few months I’ve adjusted how I work with AI - how many agents I run, when I look at them, what I let interrupt me - and the chaos got manageable.

Don’t go in at the deep end

Let’s say it out loud: it’s ok to work on one thing at a time. AI makes you way more productive than ever even without running multiple agents at once.

The fastest way to burn out is to jump straight to ten sessions before you can run one well. You end up babysitting all of them, reviewing code you don’t fully understand, and feeling busier than ever while quality slowly drops.

Before scaling up, learn how to work with a single agent efficiently - without constantly interfering or guiding it. Your agent should be able to take a task from start to finish on its own. There are many ways to achieve this: proper CLAUDE.md/AGENTS.md files, clear prompts, related skills, linters, plan mode and so on. The single highest-leverage habit is the simplest one: every time your agent makes a mistake, add a rule that prevents it from happening again. That’s how the agent gets trustworthy over time.

If you feel like you’re wasting time waiting for the AI to finish, try fast mode (available in Codex for 2x tokens or in Claude as extra usage). But fix the autonomy problem first - going faster doesn’t help if you’re still in the loop on every decision.

Scaling up

Once your agent can run a task end-to-end without you, you’re ready to add more. Four things made the difference for me: scaling slowly, planning my day in advance, killing the noise, and using a real orchestrator.

Scale slowly

Don’t jump from one session to ten. Start with two. Then maybe three. If you can keep them running without losing track of what either is doing, add another. If you can’t, drop back for a few more days. The right number is personal - some people max out at three, others run eight. Find yours, don’t copy someone else’s.

Plan your switches

Constant context switching is a real problem - and it’s nothing new. Before AI, I hit it as I took on more responsibilities: reviewing CVs, conducting interviews, code reviews, finishing my own tasks. What pulled me out was time-blocking my day in advance, and the same principle works for AI sessions.

I start all my sessions at the same time, and I make sure each agent has everything it needs to run end-to-end. Then I don’t look at them - I move on to whatever’s next on my list: reviews, emails, my own coding. I don’t care if a session fails or finishes early. It can wait. It’s not going to starve. I check them when it’s their turn in my plan, not when they ping me.

Reduce the noise

AI didn’t invent notification overload, but it cranked it up by 100x. Every agent wants to ping you the moment it’s done. Every PR comment, every CI failure, every Slack message competes for the same attention. Don’t turn async into sync.

The fix is mechanical: turn the notifications off. Agent pings, PR comments, channel messages - anything that isn’t urgent. The only thing allowed to interrupt me is production on fire.

Here’s a dumb analogy: you’re chopping vegetables for soup. Someone asks you to also peel a potato. You don’t stop mid-cucumber - unless the kitchen is on fire, the potato can wait.

Use proper tools

Running multiple agents from separate terminal windows works for two or three sessions, but it falls apart fast. You need an orchestration layer - one place to start tasks, watch progress, and review diffs without juggling windows.

Codex and Claude both ship one. If you don’t want to be tied to a single provider, Conductor and Emdash are both good. Try a couple, pick the one that fits how you actually work.

It’s a skill, not a setting

Working with AI well isn’t just about picking the right model or writing the perfect prompt. It’s about managing yourself. The tools got faster, but your attention budget hasn’t changed.

If you don’t protect your focus, AI won’t just speed you up - it’ll speed up the chaos too.

What does “agent-friendly” even mean?

An agent-friendly website is one that AI agents can reliably navigate, understand, and interact with. There’s a growing set of standards and conventions that make this possible. Some already exist and just need to be adopted. Others are brand new.

In this article, we’ll cover five building blocks - from controlling agent access with robots.txt, through helping them discover your content with llms.txt and markdown, to letting them interact with your product via OpenAPI and WebMCP.

Let’s start simple - robots.txt

You already have a robots.txt. But have you looked at it recently?

Traditionally, robots.txt controlled which crawlers can access your website. It also applies to AI agents. Make sure that you’re not blocking them.

At this point, you may think - “hold on, I don’t want them to use my content for training!”. It’s a valid point, but luckily, it’s possible to distinguish between an AI agent acting on behalf of a human and a crawler grabbing content for training. For example, OpenAI provides a list of user-agent strings they use. Other providers like Anthropic and Google do the same. So you may allow access for OAI-SearchBot and ChatGPT-User but block it for GPTBot.

Example robots.txt:

User-Agent: *
Allow: /

User-agent: ChatGPT-User
Allow: /

User-agent: GPTBot
Disallow: /

llms.txt - a guide for AI agents

robots.txt tells agents what they can access. llms.txt tells them what they should access.

It’s a markdown file placed at the root of your website that provides an overview of your site. Think of it as a README for AI agents - short description, links to key pages, and guidance on what matters.

# My SaaS Product

> A tool that helps developers ship faster.

## Docs

- [Getting Started](/docs/getting-started)
- [API Reference](/docs/api)
- [Changelog](/changelog)

## Optional

- [Blog](/blog)
- [Pricing](/pricing)

Why markdown? Because it’s simple. No parsing, no noise. Just pure content that won’t eat thousands of tokens. Some sites also provide an llms-full.txt - a more detailed version with full content inlined, so agents don’t even need to follow links.

Markdown versions of your content

llms.txt can point agents to specific pages, which ideally should also be available in markdown. Providing markdown versions of your content is a great way to make sure agents can access it efficiently.

There are a few ways to do this - you can allow .md extension, a ?format=markdown query param or just serve it via HTTP content negotiation (Accept header).

If you’re running a documentation site, a blog, or any content-heavy platform, this is low-hanging fruit. Your content probably already exists in markdown before it gets rendered to HTML anyway. Just make the source accessible and agents will love you for it.

OpenAPI - let agents use your product

Everything we’ve covered so far is about agents reading your content. Let’s talk about using your product.

If your product has an API, an OpenAPI spec is the most important thing you can offer to AI agents. It’s a standardized description of every endpoint, parameter, and response your API supports.

Agents can read an OpenAPI spec and immediately know how to interact with your product - no documentation crawling, no guessing, no hallucinated endpoints.

If you already have an OpenAPI spec, make sure it’s discoverable. Link to it from your llms.txt and your docs.

WebMCP - agent-native integration

You’ve probably heard about MCP already, but in case you haven’t - it’s a standardized way to integrate AI agents with external services. MCP servers expose tools (actions the agent can take), resources (data it can read), and prompts (predefined interactions). Obviously, you can expose an MCP server just like an API.

WebMCP is a JavaScript interface. Wait, JavaScript? Didn’t we want to skip all HTML/CSS/JS noise and provide pure markdown? Well, yes, but consider it as an alternative approach. A lot of SPAs (which are terrible for agents) can be easily adjusted - you’ll just need to expose existing functions as MCP tools. It can also create a hybrid experience, where a user and an agent cooperate. Consider this example - you want to buy shoes. You’ll browse the catalog, find the ones you like, the agent can look for similar ones. Then, you pick one pair, the agent fills the address and you confirm the payment.

WebMCP is still very fresh and experimental. At this time it’s available in Chrome’s early preview program.

Your new users are coming

Great, now you know the key building blocks of agent-friendly websites. If you’d like to test if everything is in order on your website, take a look at AgentProbe. It’s a simple free tool that I built. It checks various aspects of your website and suggests improvements.

Keep an eye out, things are changing fast. 2026 is the year of AI agents, and we’re still in the early stages of their development.

The review problem

When writing code yourself, you have a mental model of what the code does. Unfortunately, AI-generated code doesn’t give you that. A short summary of changes is all you get with a 500-line diff. To properly review it, you need to understand the context, verify correctness, and catch all the subtle bugs. Let’s face it - the same thing applies to your coworkers’ code, it’s not something new. The problem begins when you have so much code to review that you can’t keep up with it. Your review process becomes a bottleneck.

Don’t let AI repeat its mistakes

What’s worse, your AI assistant won’t learn from its mistakes unless you make it do so. Obviously, it’ll fix the issues you point out, but it’ll make them again in the future. AI agents always start with a blank page. Their only persisted context is your code and memory files (AGENTS.md/CLAUDE.md). If, during review, you notice that AI is not following specific patterns, code conventions, or just forgets to write tests, make sure to capture that. Add instructions to your memory files or use dedicated Skills to avoid repeating the same mistakes. You can also enforce rules by adding tools like linters to pre-commit hooks. The goal is to reduce the number of style-related mistakes to zero, so you can focus on the important parts - what the code actually does.

Understanding the context

One of the biggest pain points in understanding the code is the organization of changes. When reviewing a PR on GitHub, you’ll see all the changes grouped by file in alphabetical order. If it’s a small PR, that’s fine, but when changes are spread across dozens of files and hundreds of lines of code, you won’t be able to understand it quickly by going from top to bottom. You’re left jumping between files, trying to piece together the story. It takes a lot of time and effort to understand the big picture, and when you finally do, you still need to go through every file so you won’t miss anything.

My approach: let AI organize the review

I’ve been experimenting with a different workflow. Since AI wrote the code, it might as well help me review it. The idea is to let the assistant organize the review process. It can split the diff into logical units and add meaningful annotations. Then I can review it in a more structured way. Annotations help me understand the context of the change, making the whole thing less overwhelming.

Now the fun part - how to actually do it?

I built a Claude Code skill just for that.

Here’s what it does:

1. Splits the diff into blocks - individual hunks, each representing one continuous change region (multiple changes in one file can result in multiple blocks)
2. Groups blocks by logical concern - not by file, but by what they actually do together. A “new API endpoint” section gathers the code in the route, controller, tests, and type definitions as one unit
3. Adds inline annotations - short explanations of why something changed, not what changed (you can read the diff, right?)
4. Generates an interactive HTML page - split-view diffs with syntax highlighting where you can click any line to leave comments, then export your feedback (UI included in the skill)

After reviewing, I export my comments and feed them back into the agent so it can fix the issues.

Feel free to try it out on your own code:

Install the skill:

npx skills add kukicola/skills/help-me-review

Use in the agent:

/help-me-review [PR or branch or commit]

If you work on public repositories, you can also try out Devin Review.

GitHub has also started experimenting with this natively via Copilot, though only on paid plans.

Don’t let it become AI slop

The developer role is shifting. Writing code is not the most time-consuming part of the job anymore. As software engineers, we need to adapt - utilize AI to deliver value faster, at every step of the process. Without proper orchestration and review, one may end up with so-called “AI slop” - huge technical debt, unmaintainable code, and security vulnerabilities.

Yes, things are happening fast, but it’s not a reason to panic. Think for a second - why did you become a developer? Because it was fun. It was a hobby, you enjoyed building things, you created something useful and it felt great. Don’t let the constant hype keep you away from what you love and do best - building things. You can’t do that when you’re constantly improving your workflow because some guy on X codes “100x faster” thanks to “amazing new tool”. It’s just another distraction. You need to find your own balance.

As a developer, I bet you encountered cases when you could make your code a bit better but it would require a big refactor to get there. Sometimes it’s just not worth it. The same goes for your workflow. Tools come and go. The ones really worth using, stay. It’s like with frontend frameworks. There was a time when almost every day there was a new one. What happened? We still use React, Vue and Angular. Nowadays, one week everyone is talking about Ralph Loop and on the next one OpenClaw takes all the spotlight. Who knows what’s going to be on top tomorrow. It’s ok if you don’t test everything on your own.

I figured out my perfect workflow at the beginning of the year and so far I didn’t change it. I got used to Claude Code. I feel confident using it, it feels right. So I don’t really care that according to some benchmarks GPT-5.3-Codex is a bit better. I’m already moving faster than ever before. When I focus on building, everything else is just a distraction.

I’m not saying that you shouldn’t try new things. In the past, every time I started a new project I would try to use something new. And I still do, I just don’t force it. I allow myself to be a bit behind, because I’m already way ahead of where I was. I’m sure you heard of the Pareto Principle - 80% of the results come from 20% of the effort. It applies to AI as well. I’m ok with the fact that my workflow is just 80% perfect. The remaining 20% is not worth the constant chase. So yes, I’m behind. And that’s fine.

Egress-only Internet Gateway vs NAT Gateway

NAT Gateway allows instances on private subnets to access the Internet over IPv4. Located on a public subnet, it connects instances to the Internet Gateway.

Source - https://docs.aws.amazon.com/vpc/latest/userguide/vpc-nat.html

Egress-only Internet Gateway allows instances on private subnets to access the Internet directly via IPv6. Basically, you cut out the middleman, which isn’t necessary because IPv6 doesn’t require address translation. What is important, your instances will still be inaccessible from the outside world. And here’s the best part - it’s free!

Source - https://docs.aws.amazon.com/vpc/latest/userguide/egress-only-internet-gateway.html

Unfortunately, not all of the Internet is available on IPv6, so it’s not a silver bullet. We’ll keep NAT Gateways for IPv4 traffic. This is what our final architecture will look like:

Source - https://docs.aws.amazon.com/vpc/latest/userguide/vpc-migrate-ipv6-example.html

Enabling Egress-only Internet Gateway

As you might guess, we need to enable IPv6 first. This can be very easy if you are using the AWS CDK. If you are doing a manual setup, you may need to go through some additional steps - see https://docs.aws.amazon.com/vpc/latest/userguide/vpc-migrate-ipv6-add.html

Note that you may need to update other parts of your infrastructure to support IPv6. For example, if you’re using ECS, IPv6 will not work with the bridge network mode.

Also remember to update your security groups to prevent them from blocking outgoing traffic over IPv6.

With IPv6 enabled, you can create an Egress-only Internet Gateway. AWS CDK created it automatically for me, but you can also create it manually - https://docs.aws.amazon.com/vpc/latest/userguide/egress-only-internet-gateway-working-with.html

The easiest way to check if traffic is going over IPv6 is to check the NAT Gateway metrics in Cloudwatch. You should see a significant drop in metrics such as BytesOutToDestination or BytesInFromDestination.

You may want to tweak your application to prioritize IPv6 traffic. I can’t help you with that. In my case, I had to override DNS resolution to prioritize IPv6 over IPv4 for my HTTP client.

Other ways to reduce NAT Gateway cost

There are a few other tips to reduce NAT gateway costs. I won’t cover them in detail.

• Use Gateway Endpoints / Interface Endpoints for AWS services - https://docs.aws.amazon.com/vpc/latest/privatelink/gateway-endpoints.html
• Launch your own NAT instance instead. It can be cheaper, but it requires more management overhead - https://docs.aws.amazon.com/vpc/latest/userguide/work-with-nat-instances.html

Summary

If you are looking for a quick way to reduce the cost of NAT Gateway, enabling IPv6 and Egress-only Internet Gateway is an easy way to do it. It’s not a silver bullet, but hopefully it will save you some money.

Hanami 2.0 was released in November 2022. It was the perfect timing for me, since at the time, I was planning to build a small side project. I’ve never tried Hanami 1.x but read a lot about it, so when 2.0 was released I decided to give it a try. It was such an amazing journey that I decided to share my opinion about the brand-new framework.

About the project

To provide some context let’s talk a bit about my project itself.

We use tons of open source gems everyday. Thanks to the hard work of their authors, we can build our apps faster. I believe that we owe them some help. One of the ways to repay our debt, is to contribute to their software. That’s where I had the idea for ShinyGems - a place, where all issues with “help wanted” tag, for the most popular gems, are gathered together. The app was pretty straightforward to build and consists of two parts:

• background processing - periodically executed workers to pull data from RubyGems and GitHub
• web - pretty simple UI to display data we already have

The app is already live, you can see it here: shinygems.dev.
Source code is available on GitHub: kukicola/shiny_gems

First impressions

Hanami handles a lot of things differently than Rails. The first thing that catches your eye is widely used dependency container. In my opinion, dependency injection is an underrated pattern in the Ruby world (if you would like to learn more about DI, check out my article). Thanks to Hanami’s solution, we have clear, loosely coupled dependencies.

Another thing, that may be surprising at first, is that you won’t see any controllers. In Hanami, each action is a separate class with a handle method, which takes request and response arguments. Out of the box we have parameter validation with type coercion. At first, I was afraid that it’ll lead me to a huge number of almost-empty classes but after creating few endpoints I started to notice the value of this approach. Each action is extremely clean - we have dependencies defined at the top, params validation in the middle and finally the handle method fully focused on endpoints logic. This approach solves one of the Rails problems - huge controllers with multiple actions and private methods, often used by only some of the endpoints.

Example:

module Web
  module Actions
    module Gems
      class Index < Web::Action
        include Deps["repositories.gems_repository"]

        before :validate_params!

        DEFAULT_PARAMS = {
          page: 1,
          sort_by: "downloads"
        }.freeze

        SORTING_DIRECTIONS = ["name", "stars", "downloads", "issues_count", "recent_issues"].freeze

        params do
          optional(:page).filled(:integer)
          optional(:sort_by).filled(:string, included_in?: SORTING_DIRECTIONS)
        end

        def handle(request, response)
          params = DEFAULT_PARAMS.merge(request.params.to_h)

          result = gems_repository.index(page: params[:page], order: params[:sort_by])
          response[:gems] = result.to_a
          response[:pager] = result.pager
          response[:sort_by] = params[:sort_by]
        end
      end
    end
  end
end

Views are not included in 2.0 (will be included in 2.1) but I decided to use hanami/view directly from the main branch. Since some concepts may change before the release I won’t dive deep into it. Let me just mention my two favorite things:

• View is a class, not just a template. There is a place for view-related logic.
• Automatic object decoration (using classes called parts)

I honestly can’t wait for the release.

ROM

Persistent layer isn’t included in 2.0 as well but you can find instructions on how to integrate rom-rb with hanami in getting started guide (it’ll be built-in in 2.1). As you can expect, it’s also different than Active Record.

The problem with models in Rails is that they tend to quickly become “master” objects containing huge amount of responsibilities. Especially, they are responsible for both persistence and business logic. ROM separates those layers. You’ll use repositories (on top of relations, mappers and commands) to communicate with the DB. Instead of models, you’ll have entities - pure data in form of hash, struct or any custom object.

How many times have you seen long chains of Active Record methods scattered across controllers, services, etc.? With repositories, you can extract it and fully focus on your business logic by working on plain data. What is more, if we combine it with dependency injection, it’s easy to test things like services or actions without touching the database.

Sample repository:

module Processing
  module Repositories
    class GemsRepository < ROM::Repository[:gems]
      include Deps[container: "persistence.rom"]

      commands :create, update: :by_pk, delete: :by_pk
      auto_struct true

      def by_id(id, with: nil)
        query = gems.by_pk(id)
        query = query.combine(with) if with
        query.one
      end

      def pluck_ids_for_hour(hour)
        gems.where(Sequel.lit("id % 24 = ?", hour)).pluck(:id)
      end

      def pluck_name_by_list(items)
        gems.where(name: items).pluck(:name)
      end

      def replace_repo(old_id, new_id)
        gems.where(repo_id: old_id).update(repo_id: new_id)
      end
    end
  end
end

ROM is a really huge topic, so if you’d like to learn more, take a look at official website.

I have to admit I had a lot of problems with rom-factory (it’s like factory_bot for ROM) but I hope it’ll get better in the future.

Slices

It’s time for my favorite part - Slices. They allow you to split your application into smaller parts/modules. For example, you can split it by features and keep the directory structure based on them, not class type (feature/[actions/services/etc]/some_class.rb instead of [actions/services/etc]/feature/some_class.rb). The closest Rails solution, that I could compare it to, would be engines.

Each slice has a separate dependency container, you can define which classes should be exposed outside the slice. When used properly they can help you keep your code organized and isolated.

What is more, you can define which slices should be loaded using an environment variable. In ShinyGems, I have two slices - “web” and “processing”. “Processing” is loaded in sidekiq process. It contains all the workers and gems required to pull data from APIs. “Web”, as the name suggests, is loaded in web process. It contains all my actions and views. I don’t need workers or gems like octokit here so, thanks to slices, they are not loaded, keeping the memory usage low.

Directory tree of ShinyGems slices:

slices
├── processing
│   ├── config
│   ├── repositories
│   ├── services
│   └── workers
└── web
    ├── actions
    ├── assets
    ├── lib
    ├── repositories
    ├── services
    ├── templates
    └── views

Compared to Rails

I hope you don’t expect me to answer the question if Hanami is better than Rails. As always - it depends. It’s different. You won’t be able to build apps in Hanami as fast as in Rails. Although, Hanami encourages you to write cleaner and easier-to-test code, which will be painless to maintain.

A breath of fresh air

In Hanami guides, you can see that is built for maintainable, secure, faster and testable Ruby applications. Looks like the authors did their job perfectly:

• maintainable - slices, no fat models or controllers - check!
• secure - CSRF protection, CSP, parameters validations etc. out of the box - check!
• faster - it’s blazingly fast (for example, ShinyGems homepage response takes 10-15ms) - check!
• testable - separation between DB and application layers, DI - check!

I really enjoyed building ShinyGems with Hanami. Even with some hiccups, I felt like I’m learning something new every day. I would recommend you to try it even if you’re strongly attached to Rails. It’s always worth to see different approaches, gain fresh perspective.

If you’ll like to take a look at the real-world Hanami app I remind you that ShinyGems is open source: kukicola/shiny_gems.

Signed URLs can be a very useful solution in many cases when you need to provide limited access to some resources or actions. Today I’ll focus on when and how to use them in Ruby, with Rails, or by providing a custom implementation.

About Signed URLs

Signed URLs, as the name suggests, contain signatures that allow us to validate if they were generated by a trusted source. What is more, they may expire over time.

They can be used in many cases:

• account confirmations, password change confirmations, etc. without storing any tokens in DB
• providing access to resources for not authenticated users (for example, users in the app can generate some reports and share them with anyone with a link)
• providing access to resources in other apps without shared authentication (example: S3 direct upload) - in this case both services need to use the same secret to sign and verify URLs. What is important, your app doesn’t need to make any calls to API to generate such URLs.

How it works?

Signed URL apart from a standard query usually contains at least two additional params - signature and expires_at. To generate such URL we have to calculate the signature using the rest of the params.

Example:

/reports/50?signature=a6450e8d5049f511930f18c6d897adc31085453cf5bb8e246f35ab0109464499&expires_at=1673620751

Signature is calculated based on resource type - reports, id - 50, and expiry time - 1673620751.

To validate if the URL is valid we generate the signature again and compare it with the one in params.

In another approach (for example in the one implemented in Rails) you can merge all these things into one token. Example:

/reports/share/BAhJIhpyZXBvcnRzLTUwLTE2NzM2MjA5MjAGOgZFVA==--41083ebf51767fb089f0fbaac5b4a6c46638c51e

Th first part of this token (before --) contains information about resource and expiry time:

Marshal.load(Base64.decode64('BAhJIhpyZXBvcnRzLTUwLTE2NzM2MjA5MjAGOgZFVA=='))
=> "reports-50-1673620920"

The second part is just a signature.

Now let’s see how can we generate and validate such URLs in ruby.

Rails Signed ID

If you are using Rails and need to generate a signed URL for one of your models, the easiest way is to use Signed ID (introduced in 6.1).

signed_id = Report.find(50).signed_id(expires_in: 3.hours)
url = "/reports/share/#{signed_id}"

To find a resource and validate the signature:

Report.find_signed(params[:signed_id])
=> #<Report id: 50... 
# now we can allow user to view report

Report.find_signed("some-invalid-string")
=> nil
# signature is invalid, don't allow user to see the report

You can also pass purpose to signed_id method if you generate signed URLs for different actions on your model (for example password_reset and account_confirmation on User).

ActiveSupport::MessageVerifier

Another approach in Rails (or any other app using ActiveSupport) is MessageVerifier. It’s useful if your resource is not a model or you are not using ActiveRecord.

verifier = ActiveSupport::MessageVerifier.new(ENV['MY_SECRET_KEY'])
signed_msg = verifier.generate("reports-50", expires_in: 3.hours)
url = "/reports/share/#{signed_msg}"

Signature validation:

verifier.verified(params[:signed_msg])
=> "reports-50"

verifier.verified("some-invalid-string")
=> nil

verifier.verify(params[:signed_msg])
=> "reports-50"

verifier.verify("some-invalid-string")
=> ActiveSupport::MessageVerifier::InvalidSignature

From the scratch

If you are not using ActiveSupport or for some reason you have to implement it from scratch it’s pretty easy. To keep it simple let’s implement a case when signature is a separate param from resource id and expires_at (/reports/50?signature=...&expires_at=...).

class MessageSigner
  def initialize(key = ENV['MY_SECRET_KEY'])
    @key = key
  end

  def sign(message, expires_at:)
    OpenSSL::HMAC.hexdigest('SHA256', @key, "#{message}--#{expires_at}") # calculate signature
  end

  def verify(message, signature, expires_at:)
    # check if signature is still valid, 
    # you can trust expires_at params since if it was modified by user it'll fail on signature validation
    return false if Time.now.to_i >= expires_at

    expected_signature = sign(message, expires_at: expires_at) # recalculate signature
    Rack::Utils.secure_compare(signature, expected_signature) # use secure_compare to avoid timing attacks
  end
end

Creating signature:

signer = MessageSigner.new
expires_at = Time.now.to_i + 60*60*3
signature = signer.sign("reports-50", expires_at: expires_at)
url = "/reports/50?signature=#{signature}&expires_at=#{expires_at}"

Validating signature:

signer = MessageSigner.new
signer.verify("reports-#{params[:id]}", params[:signature], expires_at: params[:expires_at].to_i)
# allow user to see report if verify method returns true

To implement behavior like in Rails all you have to do is merge message and expires_at (manually to one string or with some serializer like Marshal) and encode it with Base64. You can consider it as your homework :)

Summary

As you can see generating and validating signed URLs in Ruby is really simple with or without Rails. It can be used for many purposes as an alternative to other solutions (temporary tokens in DB - ugh!).

Nowadays web application security is a crucial and unfortunately sometimes a bit neglected matter. Today, I’ll focus on Content Security Policy - a handy mechanism that can protect our app from XSS attacks. It’s not Rails-specific, it can (or even should) be implemented in every web application but Rails provides great helpers to make implementation even easier.

XSS attacks

XSS (Cross-site scripting) is probably one of the most common vulnerabilities in web applications. If our application is vulnerable, an attacker can inject malicious code into the victim’s browser, what can lead to many dangerous situations like, for example, session hijacking.

Let’s take a simple example - we have a blog with comments. The attacker creates a new comment with the following content:

Great article! <script>console.log('hacked!')</script>

If, for some reason, we won’t sanitize it while displaying the script will be executed in the browser of our visitors. By default, ERB keeps us safe and escapes HTML, so code:

<%= 'abc <script>alert("hi!")</script>' %>

Will be rendered as plain text, < will be replaced with <. Unfortunately, there are some cases when it’s not that easy:

<%== "<b>#{comment.username}</b>: #{comment.content}" %>

Here, some careless developer wanted to display the username bolded, did it in a pretty bad way, and as a result created a vulnerability! Both comment.username and comment.content aren’t escaped, because of <%== which was added to avoid escaping <b>. In this code, it’s pretty obvious but unfortunately, in many cases, it’s not.

Content Security Policy (CSP)

There are many ways to prevent XSS or reduce its impact but CSP is a very simple to implement mechanism that eliminates most of the vulnerabilities right away. Rails provides helpers which make implementation even easier.

CSP allows us to specify trusted sources for all external resources like images or scripts. Adding such resources from untrusted sources will result in blocking them by the browser.

In the newly created Rails app, we have a config/content_security_policy.rb file with basic configuration. It’s disabled by default but all we have to do is to uncomment the code in the file. In version 7.0.4 it will look like this (after uncommenting):

Rails.application.configure do
  config.content_security_policy do |policy|
    policy.default_src :self, :https
    policy.font_src    :self, :https, :data
    policy.img_src     :self, :https, :data
    policy.object_src  :none
    policy.script_src  :self, :https
    policy.style_src   :self, :https
    # Specify URI for violation reports
    # policy.report_uri "/csp-violation-report-endpoint"
  end

  # Generate session nonces for permitted importmap and inline scripts
  config.content_security_policy_nonce_generator = ->(request) { request.session.id.to_s }
  config.content_security_policy_nonce_directives = %w(script-src)

  # Report violations without enforcing the policy.
  # config.content_security_policy_report_only = true
end

From now, our app will add a following header to the response:

Content-Security-Policy: default-src 'self' https:; font-src 'self' https: data:; img-src 'self' https: data:; object-src 'none'; script-src 'self' https: 'nonce-26ea5aaa858b26e451c1d9209e031f0a'; style-src 'self' https:

Let’s take a closer look at what it does. We have a list of different types of resources and their trusted sources.

• :self - allows resources from current origin - so if your page is under somedomain.com it will allow all resources within this domain.
• :https - it will allow loading resources from any origin as long as it’s using HTTPS (HTTP requests will be blocked)
• :data - data URIs (for example: data:image/gif;base64,R0lGODlhEAAQA...)
• :none - don’t allow loading objects from any source

So looking at our config it will allow resources except for the object type (<object>, <embed>, and <applet>) to be loaded from our domain, HTTPS URLs, and Data URIs. As you can see it’s easy to customize it per resource type. All types that are not present in the CSP header will fall back to default_src. You can check the full list of supported directives here.

We’ll take a look at the rest of the config later. Let’s focus on script-src for now, since it’s the most important one when talking about XSS. Apart from blocking scripts from the insecure connections, it will block the following things:

• inline <script> blocks
• javascript in HTML attributes like onclick="doSomething()""
• eval and similar javascript methods

Thanks to that the code from the previous example will be blocked, cool, right? These are pretty solid settings for the start but can be improved. The attacker can still inject code like <script src="https://my.evil.site.com/dirty-script.js"></script>.

Improving script-src directive

To minimalize the risk of vulnerabilities we can remove :https from script_src and provide a list of allowed domains instead. It may take some time, especially if you are using stuff like Google Analytics, Facebook pixels, etc. Keep in mind that subdomains are not included by default but you can use wildcards like '*.google-analytics.com'.

Blocked inline scripts may be a problem, sometimes we would like to use them for various reasons. We could use :unsafe_inline to allow them but it would significantly impact our security and to be honest make our policy pointless. Luckily, there is a better way to do this.

Nonce

If you take another look at the generated header you’ll see the following content in the script-src part:

'nonce-26ea5aaa858b26e451c1d9209e031f0a'

It tells the browser to accept inline script with the following nonce value:

<script nonce="26ea5aaa858b26e451c1d9209e031f0a">
  console.log('hello')
  // script will be executed because it has correct noonce value
</script>

To keep it safe nonce should be random (so the attacker won’t be able to guess it). By default, Rails uses session id as a nonce but I recommend changing it.

config.content_security_policy_nonce_generator = ->(_request) { SecureRandom.base64(16) }

Now nonce will be different on each request making it even safer. Using session id has some advantages - it can be useful if you are using Conditional GET caching (random noonce will prevent pages from being cached) but in most cases keeping it random is the best way to go.

To use it for your inline script just add nonce: true to the javascript_tag helper:

<%= javascript_tag(nonce: true) do %>
  console.log('hello')
<% end %>

Adding CSP to existing application

Adding CSP to an existing application can be painful, especially if it’s a large app with a lot of javascript. To do that without breaking anything we can use reporting feature.

First, let’s uncomment the following line:

policy.report_uri "/csp-violation-report-endpoint"

It orders the browser to send policy violation reports to /csp-violation-report-endpoint. You’ll have to implement such endpoint and store reports somewhere - in DB or anywhere else. The browser will send POST requests with a simple JSON body. It will include information about which rule was violated as well as blocked resource URLs.

Keeping it like that will still result in blocking such resources but we can change that as well, by uncommenting:

config.content_security_policy_report_only = true

Now, we will receive notifications about violations but they won’t be blocked.

Thanks to that we can easily integrate CSP into existing apps. First we setup our policy in report-only mode, we gather reports, fix our policy (by adding missing URLs) or our code (by adding nonce to inline scripts) and finally, we can turn off report-only mode.

It’s worth mentioning that sometimes you’ll receive weird violation reports not really related to your app - they are the results of different browser add-ons or extensions, you can safely ignore them.

Summary

So to summarize - CSP is a great mechanism that can improve the security of your app with relatively simple implementation. It can block most of the potential XSS attacks by disabling the execution of scripts from untrusted sources. Although, you should still sanitize/escape user inputs since it doesn’t protect us from injecting HTML.

If you’ll like to know all CSP directives and features please take a look at MDN.

Let me know if you’ll like to see more security-related articles!

It’s a common practice to measure the quality of tests to make sure they cover all the code. Most ruby developers are familiar with SimpleCov. By default, it measures only line coverage, which sometimes can make false assurance that our code is fully tested. In Ruby we have many options to write conditional code in single lines:

return if something_happened?

some_var = argument.is_a?(SomeClass) ? argument : SomeClass.new(argument)

In such cases, line coverage will mark lines as covered no matter what’s the result of the condition.

Line coverage

Let’s take a look at a very simple example:

def read_file_if_exists(path)
  return '' unless File.exist?(path)
  
  File.read(path)
end

and spec for it:

require 'simplecov'

SimpleCov.start

require_relative './example.rb'

RSpec.describe 'read_file_if_exists' do
  subject { read_file_if_exists('example.txt') }

  it 'returns content of the file' do
    expect(subject).to eq('abc')
  end
end

As you’ve probably noticed I haven’t tested the case when a file doesn’t exist. Yet my line coverage is 100%.

$ rspec example_spec.rb
.

Finished in 0.0014 seconds (files took 0.07227 seconds to load)
1 example, 0 failures

Coverage report generated for RSpec to /Users/kukicola/Desktop/example/coverage. 3 / 3 LOC (100.0%) covered.

My test isn’t perfect but I think we can agree that in this case, it’s not the end of the world.

Let’s move on to the second example:

def number_to_dollar(number)
    dollar_part = "#{number.to_i} dollar(s)"
    cent_part = number % 1 != 0 ? " #{((number - number.to_i) * 100).to_i} cent(s)" : nil
    dollar_part + cent_part
end

and spec for it:

require 'simplecov'

SimpleCov.start

require_relative './example2.rb'

RSpec.describe 'number_to_dollar' do
    subject { number_to_dollar(2.56) }

    it 'returns dollar and cents' do
        expect(subject).to eq('2 dollar(s) 56 cent(s)')
    end
end

My test will pass and line coverage is 100%. If you look carefully you’ll see that my code has an obvious bug. For values without a decimal part it will raise an error because it won’t be able to add nil to the string:

irb(main):002:0> number_to_dollar(2)
/Users/kukicola/Desktop/example/example2.rb:4:in `+': no implicit conversion of nil into String (TypeError)

What is branch coverage and why it’s important?

Branch coverage is a measure of how many branches/results of the conditions have been executed during testing. You can turn it on by simply adding enable_coverage :branch into SimpleCov.start block. Let’s enable it for my spec:

require 'simplecov'

SimpleCov.start do
  enable_coverage :branch
end

require_relative './example2.rb'

RSpec.describe 'number_to_dollar' do
  subject { number_to_dollar(2.56) }

  it 'returns dollar and cents' do
    expect(subject).to eq('2 dollar(s) 56 cent(s)')
  end
end

In my coverage/index.html file I can see that my test doesn’t cover all the branches:

1 files in total.
5 relevant lines, 5 lines covered and 0 lines missed. ( 100.0% )
2 total branches, 1 branches covered and 1 branches missed. ( 50.0% )

Thanks to branch coverage it’s easy to identify that I missed a case when the cent part is zero. Having that information I can add additional test for that case, see that it fails and fix my code.

Conclusion

As you can see even 100% line coverage is not enough to be sure that my code is correct and fully tested. Branch coverage can help to identify missed cases and prevent potential bugs in the app.

Dependency Injection isn’t something that you’ll see in every Rails application. Ruby allows us to stub basically everything in tests so in most cases there’s no need to inject any dependencies and hard-coding them is good enough. Although even in such flexible language as ruby there is a place for DI.

What is DI?

Before we jump to some examples let’s first take a minute to understand what is Dependency Injection. Imagine a situation when one of your services uses another one. You probably see it every day.

class ServiceA
  # ...
  def do_something
    # ...
    ServiceB.new.do_something_else
    # ...
  end
  # ...
end

ServiceB is hard-coded and tightly coupled with ServiceA. Is that a bad thing? In most cases - no. We can still stub it in the tests or replace it with something else but it will be easier using DI.

class ServiceA
  def initialize(some_dependency: ServiceB.new)
    @some_dependency = some_dependency
  end

  # ...
  def do_something
    # ...
    @some_dependency.do_something_else
    # ...
  end
  # ...
end

Instead of hard-coding ServiceB, we are injecting it into ServiceA. It gives us loose coupling between our services - ServiceA depends on abstraction. We can use a different class without changing the implementation of ServiceA as long as it implements do_something_else method.

Real-world examples

Looking at the code above you’ll probably think “why would I need to change ServiceB?” or “even if I have to, it’s not a problem” and in most cases, you would be right.

Let’s take a look at some real-world examples:

class DataExport
  # ...
  def call
    csv = Writers::CSV.new
    csv << some_data
    # ...
    csv.close
  end
  # ...
end

Our class is responsible for exporting some data to a CSV file using Writers::CSV. Now imagine having many similar classes responsible for exporting different data in your application.

What if we decide to switch to XLS or give users a choice? How should we test it? Should it write to some temp files or should we stub it?

Second one:

class SomeNotifier
  # ...
  def call
    # ... 
      SmsSender.new.call(number, message)
    # ...
  end
  # ...
end

In this case, our class notifies users using an SMS message.

What if we decide to change the SMS provider? Easy - let’s just change SmsSender implementation. How should we test it? Also easy - let’s just stub the whole class. But how it should behave in the development environment? We would probably want to avoid sending real sms messages and printing content to stdout should be enough. How would you handle it? if Rails.development? ?

Dependency Injection to the rescue

Let’s focus on data export first. Using DI it would look like this:

class DataExport
  def initialize(writer: Writers::CSV.new)
    @writer = writer
  end
  # ...
  def call
    writer << some_data
    # ...
    writer.close
  end
  # ...
end

We can easily replace the writer with some Writers::XLS or anything else without touching the actual implementation of DataExport.

In tests for this particular class we don’t really care if a file is created on the disk (assuming we have proper tests for Writer::*). What we focus on is if exported data is correct. Do we need a real file for that? No, we can replace our writer with some Writers::Memory, which uses StringIO instead, without any stubs.

describe DataExport do
  let(:instance) { described_class.new(writer: Writers::Memory.new) }
  
  it 'exports correct data' do
    # ...
    expect(writer.result).to eq(something)
  end
end

Since our test is using memory instead of real files it can result in a significant performance boost. Also, we don’t have any stubs that distract us from what’s important in our test.

To solve our problem from the second example we have to go further.

Dependency Container

Dependency Container helps us keep our dependencies in one centralized place. We have a great implementation called dry-container.

First, we need to initialize the container and register our dependencies:

container = Dry::Container.new
container.register(:sms_service, SmsSender.new)

Then, we can use it in our SomeNotifier class.

class SomeNotifier
  # ...
  def call
    # ... 
    container.resolve(:sms_service).call(number, message)
    # ...
  end
  # ...
end

Now SmsSender is used directly only during container initialization. As a result, we can easily register different classes in different environments. In our development we can register some fake class that will output the message to stdout:

container = Dry::Container.new
container.register(:sms_service, FakeSmsSender.new)

Dependency Container can be extremely useful when working with external APIs and not just that.

Conclusion

Both examples above can be handled without using DI. You can use stubs, if Rails.development? conditions, or any other tricks but in my opinion, DI makes it cleaner, easier to maintain and test.

It can be useful in many other cases:

• working with external services - you don’t need tons of requests stubs and it’s easy to use fake data in the development
• when using repository pattern - fake repositories in tests instead of stubs or real calls to the database
• A/B testing different approaches/implementations

If you don’t agree with me or have any other thoughts on the subject please let me know!