Unsafe cookie serialization strategy detected.


JSON is the safest serialization strategy for untrusted data, such as cookie data, to avoid malicious code injection. By default, Rails uses JSON to serialize cookie values.


❌ Avoid overriding the default cookie serializer

Rails.application.config.action_dispatch.cookies_serializer = :marshal

❌ Use the hybrid (Marshal and JSON) serializer option as a temporary solution only, for example when migrating from Marshal to JSON.

Rails.application.config.action_dispatch.cookies_serializer = :hybrid


Associated CWE

OWASP Top 10

Ready to take the next step? Join the Bearer Cloud waitlist.