The atomic decorator/context manager ensures all-or-nothing database operations. I wrap related operations in @transaction.atomic or with transaction.atomic() blocks. If any operation fails, the entire transaction rolls back. This prevents partial dat

Email is still a core product channel, and it’s easy to ship broken messages if you don’t treat it like code. I keep templates in source control, render them with a simple templating engine, and send via nodemailer (or a provider SDK). I always includ

Rails engines are miniature Rails applications within applications. I use engines for extracting reusable functionality—authentication, billing, admin panels. Engines have their own models, controllers, views, routes, migrations. Mountable engines are

While Rack::Attack handles basic rate limiting, custom throttling logic gives fine-grained control over quotas, burst allowances, and per-feature limits. I implement a token bucket algorithm in Redis using sorted sets to track request timestamps per u

Client-side debounce is best done in Stimulus (not in view helpers). This controller submits the nearest form after a short pause, while letting Turbo handle the navigation and frame replacement.

Turbo includes a progress bar at the top of the page, and it’s a surprisingly visible part of perceived quality. I like to set the color and height to match the app’s brand. This is pure CSS: target .turbo-progress-bar. You can also make it slightly t

net/http/pprof is incredibly useful during performance incidents, but it should never be open to the public internet. I register the pprof handlers on a separate mux and wrap them with Basic Auth (or, better, your real auth middleware). The important

Comprehensive request logging provides visibility into API usage patterns, performance bottlenecks, and security incidents. I log structured JSON that includes request method, path, parameters (sanitized to exclude passwords), response status, duratio

Clients can lie about Content-Type, so for uploads I prefer sniffing the first bytes with http.DetectContentType. The safe flow is: open the multipart file, read a small prefix, detect type, then rewind (or re-open) before writing to disk or object st

Password reset workflows require careful security design to prevent account takeover. I generate time-limited, single-use tokens using Rails' signed_id feature which creates tamper-proof tokens without database storage. The token expires after a short

Some UI elements should survive navigation: a music player, a search input, or a navbar with an open dropdown. Turbo’s data-turbo-permanent lets you mark a DOM node that shouldn’t be replaced during visits. I use it carefully—permanent nodes can keep

Pundit provides simple, object-oriented authorization. Policies encapsulate authorization rules in plain Ruby classes. Each model gets a policy class defining who can perform actions. I use Pundit for fine-grained permissions—different users see diffe