params to e.g. avoid .
Usually, you say something like
params.permit(:email, :password) and any extra parameters would be ignored, e.g. when calling
This is excellent and you should definitely use it.
However, there is also
params.permit! which permits everything from the params. There are situations where this is acceptable/desirable but
permit! also mutates the params object.
This means that any code that accesses
params afterwards will work with a fully permitted parameters object.
You never want that.
Why? Because it introduces potential vulnerabilities. 
Even if you are sure that nobody else accesses the
params object after your code callled
permit!, you can't a guarantee this is true forever.
It is just not worth the risk and you can always do better.
Instead, you should take a different approach. Here are several alternatives.
permitonly known good keys.
:hostand similar). Note that it does not include query parameters.
params. If none of the above was enough for you, this should be. Be careful what you use it; we have a separate card on that.
 For example: If params are assigned to model attributes, your model won't complain, since params were declared safe. Congratulations, you've gained a mass assignment vulnerability. Note that
params.permit(:something) would still only extract the
:something entry, but the original
params object is still tainted and you must avoid that.