Skip to main content

This is for internal use by the PaaS team. Public-facing documentation is located at

ADR022: web app language and framework selection


This has been superceded by ADR024 since February 2018. It has been retained for historical purposes.


We are starting to develop a number of user-facing applications with web interfaces that need to be styled to look like GOV.UK etc. In order to keep things consistent we want to pick a single programming language and framework to write these in.

We’ve previously used Sinatra for this, but ran into issues with its default configuration which isn’t secure, leading to an XSS vulnerability. We therefore want to choose something that comes with secure defaults, and makes it easier to avoid this sort of issue.


  • Must be well supported by govuk_template and govuk_frontend_toolkit (as well as the future govuk-frontend project)
  • Must be understood broadly by members of the team.
  • Must be understood broadly by members of the frontend developer community within GDS.

After dicsussion with the head of the frontend community and members of the team, the choice seems to be Rails for the following reasons:

  • Most of is written in Rails, as is the Verify frontend, and therefore is well known within the frontend developer community.
  • It’s well supported by the frontend toolkits (both projects are available as gems that provide a Rails engine). Given the wide use of Rails with GDS, the future govuk-frontend project is likely to support it.
  • It’s the framework that’s most familiar to our team.
  • It is opinionated, and comes with secure defaults making it much easier to create a secure web app.


We will use Ruby and Rails to create new user-facing applications with web frontends.


Superceded by ADR024.


We should consider porting some of our existing applications over to Ruby and Rails.