An upgraded Rails gem does not upgrade your Rails configuration

TL;DR

Make sure you have config.load_defaults 5.1 in your config/application.rb if your Rails app was created before March 2017.

An unexpected Rails config

Whenever there is a new buzz about new Rails defaults, I try to use the new defaults as early as possible. But I wanted to wait with per-form-csrf tokens for some time, so I had this in an initializer:

# config/initializers/new_framework_defaults.rb 
Rails.application.config.action_controller.per_form_csrf_tokens = false

When I felt that it was time to try them out, I removed the initializer... only to find out that nothing changed. I read the whole config guide and there was no hint as to what could have gone wrong. Somehow, I was under the impression that new defaults kick in as soon as I upgrade my Rails version (after all, that's what the word "default" implies).

And it was like that, until this commit from March 2017 which dumped the idea of config/initializers/new_framework_defaults.rb (even though it's still alive and kicking with a versioned suffix). New defaults don't become active unless you add this:

# config/application.rb
module MyApp
  class Application < Rails::Application
  
    # Not your Rails gem determines your configuration defaults, 
    # but this very method call:
    config.load_defaults 5.2

Sure enough, as late as June 2017 people were struggling with this. And it took me half a year to realize the same thing. If you read this blog post this far, I suppose, now you realized it, too.

Hypothetically, if you'd like to match your configuration to your Rails gem version, I suppose you could even do the following

# YOLO
config.load_defaults Rails::VERSION::STRING.to_f

I do recommend that you skim through these file templates for changes every now and then. These files won't upgrade themselves in your Rails app