Last checked and updated on 31 May 2026
What Is New in Ruby on Rails 4.0
| Category | Highlights |
|---|---|
| New Features | Strong Parameters, Turbolinks, ActionController::Live streaming, Russian doll caching, ActiveModel::Model, Thread-safe by default, Schema cache dump, PATCH verb support, Routing concerns, Declarative ETags |
| Improvements | Dalli memcache client, Notifications start & finish, Callable scope API, PostgreSQL array & hstore support, Custom coders for ActiveRecord::Store, Relation#load, NullRelation, create_join_table helper |
| Breaking Changes | Page/action caching, observers, ActiveRecord session store, ActiveResource, vendor/plugins removed, hash-based & dynamic finders deprecated, mass-assignment protection removed, config.threadsafe! removed, automatic EXPLAIN disabled, IdentityMap removed, builder flag removed, Rails::Plugin removed |
| Deprecations | config.threadsafe! (use config.eager_load), ActiveSupport::TestCase#pending, ActiveSupport::Benchmarkable#silence, ActiveSupport::JSON::Variable, Module#local_constant_names, ActiveSupport::BufferedLogger, assert_present/assert_blank, old hash-based finder API, dynamic finder methods (except find_by_*) |
What happened to the old caching mechanisms in Rails 4?
Page and action caching were extracted from the core and are now provided as separate gems.
- Both caches live in
actionpack-page_cachingandactionpack-action_cachinggems. - They are no longer loaded automatically; add them to your
Gemfileif you still need them. - Rails encourages Russian doll caching instead, which nests fragment caches and expires them based on model-driven keys.
In practice, replace old caches_page or caches_action calls with fragment caching and include the appropriate gem when legacy behavior is required.
How does Rails 4 enforce strong parameters and mass-assignment protection?
Strong parameters replace the old attr_accessible mass-assignment whitelist.
# controller example
def create
@post = Post.new(post_params)
if @post.save
redirect_to @post
else
render :new
end
end
private
def post_params
params.require(:post).permit(:title, :body)
end
- Unpermitted attributes are filtered out, raising
ActiveModel::ForbiddenAttributesErrorif accessed directly. - The legacy mass-assignment protection module is now a separate gem and is deprecated in core.
This matters if you upgrade from Rails 3, because existing attr_accessible declarations will be ignored.
Why is Rails 4 considered thread-safe by default and what should teams verify?
Rails 4 enables thread safety out of the box, allowing you to run on multi-threaded app servers without extra configuration.
- All core components are marked thread-safe; you only need to ensure that any third-party gems you use are also thread-safe.
- Check the gem's documentation or run the Rails thread-safety test suite.
- Remove the old
config.threadsafe!call; useconfig.eager_loadfor finer control.
Watch out for gems that still rely on global mutable state, as they can re-introduce race conditions.
What new conveniences does ActionPack bring in Rails 4?
ActionPack adds several developer-friendly features that simplify modern web apps.
- Turbolinks: Sends only the
<body>on navigation, speeding up page loads. - ActionController::Live: Enables server-sent events and streaming responses via
response.stream. - Routing concerns: Share common sub-routes across resources, e.g.,
concern :commentable do resources :comments end. - Declarative ETags: Set
fresh_whenorstale?with controller-level ETag definitions. - Russian doll caching: Nest fragment caches and automatically expire them when any dependent model changes.
These features reduce boilerplate and improve perceived performance for end users.
Frequently Asked Questions
Do I need Ruby 2.0 to run Rails 4?
Rails 4 requires Ruby 1.9.3 or newer, but Ruby 2.0 is the preferred version.
How can I add back page caching after upgrading to Rails 4?
Add the gem 'actionpack-page_caching' to your Gemfile and run bundle install.
What command creates a new Rails 4 app with the latest edge code?
Run rails new myapp --edge to generate an application from the current edge repository.
Is the vendor/plugins directory still supported in Rails 4?
No, vendor/plugins has been removed; use a Gemfile with Bundler instead.
How are the new security headers enabled in Rails 4?
Rails 4 sends X-Frame-Options, X-XSS-Protection, and X-Content-Type-Options with every response by default.
What is the new syntax for defining scopes in Rails 4?
Scopes must be defined with a callable, for example scope :recent, -> { where('created_at > ?', 1.week.ago) }.