Anyone who does not specify a web sever in the Gemfile and deploys to Heroku is running WEBrick in production.

Really? I can't find anything one way or another on the Cedar stack, but on the old Bamboo stack they used Thin.

Cedar default is webrick - I only know this because I had to switch to Thin (and then later Unicorn) to deal with some issues on an app on Cedar stack.

When the recent RCE exploits came out, the idea of a bunch of people running Rails dev environments on their laptops on 0.0.0.0:3000 became a lot scarier. Even if an intruder getting into a corporate network and scanning for Rails apps sounds unlikely, there are plenty of opportunities on public networks (e.g. all those Rails hipsters at coffeeshops).

The nasty thing was that no "getting into corporate network and scanning" was required. All you had to manage was to get some browser to send a maliciously crafted request to a vulnerable app. It's easy to just have a snippet of javascript code that just posts to localhost:3000 in the hope of hitting an app. Embed that snippet on a forum that lots of rails developers visit - instant pwnage. It's spray and pray, granted, but as long as you're not trying to hit a specific target that should give you plenty of root shells on developer machines.

Good point, even better.

People developing apps in coffeeshops is a serious threat, you're right.

Edit: Sorry if anyone thought this was supposed to be sarcastic; it wasn't.

I will admit to accidentally running it in production when I forgot to put a different server in the Gemfile. I was being pretty thick that day.

I normally use Puma these days, as I've found it gives me the best performance for the least amount of hassle.

And I finally got that pun. Only took me like 8 hours.