Remix.run Logo
Remix clone Hacker News
new | show | ask | jobsGithub
neya 5 hours ago

One thing that is not stressed enough, is Rails enforces good code patterns early on. If you follow the docs, you will know where model code should be, helpers should be, controllers should be. After all, it is an MVC framework.

However, modern day JS frameworks don't care about this at all. Most of them love flaunting about their raw performance numbers. Security? Fuck that. Not even basic form CSRF protection. A lot of times, there is not even SQL injection prevention in them.

Compound this with someone who just vibe codes their app on top of these frameworks - that's how you end up getting hacked. Every week there is an incident. That's why good frameworks like Rails are very important. People who actually care about writing secure, good quality software are on the decline, but thank God rails still exists as an option in 2026 despite the fact.

dalemhurley 4 hours ago | parent | next [-]

The difference between JS frameworks and RoR/Laravel is the ecosystem cohesion. RoR and Laravel ecosystems employ the RoR or Laravel way of doing things and everything works together very smoothly.

JS solutions are loosely coupled, lots of good reasons to do so, but comes at a major complexity cost.

neya an hour ago | parent [-]

I agree. Opinionated frameworks are better in this regard.

jeppester 2 hours ago | parent | prev | next [-]

Give AdonisJS a try, it's pretty much the JS sibling of Laravel and RoR.

e12e 13 minutes ago | parent | next [-]

Adonis is nice, but still young and lacking features. And in my experience very verbose compared to rails.

That said, absolutely worth a look.

neya an hour ago | parent | prev [-]

Thanks! Never heard of it, definitely will check it out.

BoorishBears 4 hours ago | parent | prev | next [-]

Eh, there's NestJs and AdonisJs if you want opinionated MVC with lots of built-ins like CSRF and ORMs.

But you can also pick tight packages that do one thing well. Something like oRPC + Drizzle that lets you pipe data from your database to frontend with full typing and cross-boundary go-to-definition while covering most of what Nest and Adonis do with better focused APIs.

And in terms of security, I'll take Typescript with a strong compiler config anyday. For example, I disable: `any`, non-null asserts (no `!`), floating promises without `void` for explicitness, no unnecessary conditions, and a bunch of other strict rules. I also use Branded Types liberally. All of that makes logical errors that can become app-specific security issues (and are thus less readily detected) much less likely to happen. And as a bonus you get really reliable code too.

slopinthebag 5 hours ago | parent | prev [-]

Javascript frameworks just do SSR + Express-style api routes. They don't handle SQL injection prevention because they don't deal with databases at all. CSRF prevention is less important in todays world tho.

apsurd 5 hours ago | parent [-]

it's like you're saying SQL injection happens if you're running sql on the client so if it's on the server you're fine.

that's not how it works. and i'm fairly sure most all apps deal with databases, unless they're explicitly static pages.

edit: sql injection is about hacking the parameters used in a query. they almost always in some way come from external sources, user input. so they have to be sanitized. it sounds straightforward but bounties are paid all the time on hackerone with documented cases of injection. people are very clever.

i've had to patch some verified cases where the hacker used the name field to pass code in and alter links in emails to make it look like they came from our (household name) company.