When updating Rails, doing rails app:update, we get a new framework defaults file and something like following added to config/application.rb

# Initialize configuration defaults for originally generated Rails version.
config.load_defaults x.x # <- rails version number

We need to go through the config/initializers/new_framework_defaults*.rb files and enable these new defaults. This hasn't been done for any of the recent Rails upgrades - since 5.0 -> 5.1 I think.

Some of these changes will require changes to the codebase in order to be enabled.

Rails 5.0

• Enable per-form CSRF tokens
• Enable origin-checking CSRF mitigation
• Make Ruby 2.4 preserve the timezone of the receiver when calling to_time
• Require belongs_to associations by default.

Rails 5.1

• Make form_with generate non-remote forms.
• Unknown asset fallback will return the path passed in when the given asset is not present in the asset pipeline.

Rails 5.2

• Make Active Record use stable #cache_key alongside new #cache_version method.
• Use AES-256-GCM authenticated encryption for encrypted cookies.
• Use AES-256-GCM authenticated encryption as default cipher for encrypting messages instead of AES-256-CBC
• Add default protection from forgery to ActionController::Base instead of in ApplicationController.
• Store boolean values are in sqlite3 databases as 1 and 0 instead of 't' and 'f' after migrating old data.
• Use SHA-1 instead of MD5 to generate non-sensitive digests, such as the ETag header.
• Make form_with generate id attributes for any generated HTML tags.

Rails 6.0

• Don't force requests from old versions of IE to be UTF-8 encoded.
• Embed purpose and expiry metadata inside signed and encrypted cookies for increased security.
• Change the return value of ActionDispatch::Response#content_type to Content-Type header without modification.
• Return false instead of self when enqueuing is aborted from a callback.
• Send Active Storage analysis and purge jobs to dedicated queues.
• When assigning to a collection of attachments declared via has_many_attached, replace existing attachments instead of appending. Use #attach to add new attachments without replacing existing ones.
• Use ActionMailer::MailDeliveryJob for sending parameterized and normal mail.
• Enable the same cache key to be reused when the object being cached of typeActiveRecord::Relation changes by moving the volatile information (max updated at and count) of the relation's cache key into the cache version to support recycling cache key.

Rails 6.1

• Support for inversing belongs_to -> has_many Active Record associations.
• Track Active Storage variants in the database.
• Apply random variation to the delay when retrying failed jobs.
• Stop executing after_enqueue/after_perform callbacks if before_enqueue/before_perform respectively halts with throw :abort.
• Specify cookies SameSite protection level: either :none, :lax, or :strict.
• Generate CSRF tokens that are encoded in URL-safe Base64.
• Specify whether ActiveSupport::TimeZone.utc_to_local returns a time with an UTC offset or a UTC time.
• Change the default HTTP status code to 308 when redirecting non-GET/HEAD requests to HTTPS in ActionDispatch::SSL middleware.
• Use new connection handling API.
• Make form_with generate non-remote forms by default.
• Set the default queue name for the analysis job to the queue adapter default.
• Set the default queue name for the purge job to the queue adapter default.
• Set the default queue name for the incineration job to the queue adapter default.
• Set the default queue name for the routing job to the queue adapter default.
• Set the default queue name for the mail deliver job to the queue adapter default.
• Generate a Link header that gives a hint to modern browsers about preloading assets when using javascript_include_tag and stylesheet_link_tag.

Rails 7.0

• button_to view helper will render <button> element, regardless of whether or not the content is passed as the first argument or as a block.
• stylesheet_link_tag view helper will not render the media attribute by default.
• Change the digest class for the key generators to OpenSSL::Digest::SHA256.
• Change the digest class for ActiveSupport::Digest.
• Don't override ActiveSupport::TimeWithZone.name and use the default Ruby implementation.
• Calls Rails.application.executor.wrap around test cases.
• Set both the :open_timeout and :read_timeout values for :smtp delivery method.
• The ActiveStorage video previewer will now use scene change detection to generate better preview images
• Automatically infer inverse_of for associations with a scope.
• Raise when running tests if fixtures contained foreign key violations
• Disable partial inserts.
• Rails.application.config.active_record.partial_inserts = false
• Protect from open redirect attacks in redirect_back_or_to and redirect_to.
• Change the variant processor for Active Storage.
• Enable parameter wrapping for JSON.
• Specifies whether generated namespaced UUIDs follow the RFC 4122 standard for namespace IDs provided as a String to Digest::UUID.uuid_v3 or Digest::UUID.uuid_v5 method calls.
• Change the default headers to disable browsers' flawed legacy XSS protection.
• Change the format of the cache entry.
• Cookie serializer
• Change the return value of ActionDispatch::Request#content_type to the Content-Type header without modification.
• Active Storage has_many_attached relationships will default to replacing the current collection instead of appending to it.
• Disables the deprecated #to_s override in some Ruby core classes