diff --git a/Gemfile b/Gemfile
index 5690a0b8f..871a3b305 100644
--- a/Gemfile
+++ b/Gemfile
@@ -1,11 +1,8 @@
 source 'http://rubygems.org'
 
-gem 'rails', '3.2.14'
-
-# preparation for rails 4
-#gem 'rails', '4.0.0.rc1'
-#gem 'rails-observers'
-#gem 'activerecord-session_store'
+gem 'rails', '4.0.0'
+gem 'rails-observers'
+gem 'activerecord-session_store'
 
 gem 'eco'
 
@@ -19,10 +16,8 @@ gem 'json'
 group :assets do
 
 # preparation for rails 4
-#  gem 'sass-rails',   '~> 4.0.0.rc1'
-#  gem 'coffee-rails', '~> 4.0.0.rc1'
-  gem 'sass-rails',   '~> 3.2.4'
-  gem 'coffee-rails', '~> 3.2.2'
+  gem 'sass-rails',   '~> 4.0.0'
+  gem 'coffee-rails', '~> 4.0.0'
   gem 'uglifier'
 end
 
@@ -76,6 +71,8 @@ gem 'em-websocket'
 # in production environments by default.
 group :development, :test do
 
+    gem 'test-unit'
+
     gem 'sqlite3'
 
     # code coverage
@@ -92,4 +89,4 @@ group :development, :test do
 #    gem 'em-websocket-client'
 end
 
-gem 'thin'
+gem 'puma'
diff --git a/app/controllers/application_controller.rb b/app/controllers/application_controller.rb
index c37b92707..7c745bb82 100644
--- a/app/controllers/application_controller.rb
+++ b/app/controllers/application_controller.rb
@@ -14,7 +14,8 @@ class ApplicationController < ActionController::Base
   :mode_show_rendeder,
   :model_index_render
 
-  before_filter :log_request, :set_user, :session_update
+  skip_before_filter :verify_authenticity_token
+  before_filter :set_user, :session_update
   before_filter :cors_preflight_check
 
   after_filter  :set_access_control_headers
@@ -52,10 +53,6 @@ class ApplicationController < ActionController::Base
     Observer::Ticket::Notification.transaction
   end
 
-  def log_request
-    puts Time.now().to_s + ' ' + request.original_fullpath.to_s
-  end
-
   # Finds the User with the ID stored in the session with the key
   # :current_user_id This is a common way to handle user login in
   # a Rails application; logging in sets the session value and
@@ -257,7 +254,7 @@ class ApplicationController < ActionController::Base
     begin
 
       # create object
-      generic_object = object.new( object.param_cleanup(params) )
+      generic_object = object.new( object.param_cleanup( params[object.to_s.downcase] ) )
 
       # save object
       generic_object.save!
@@ -280,7 +277,7 @@ class ApplicationController < ActionController::Base
       generic_object = object.find( params[:id] )
 
       # save object
-      generic_object.update_attributes!( object.param_cleanup(params) )
+      generic_object.update_attributes!( object.param_cleanup( params[object.to_s.downcase] ) )
       model_update_render_item(generic_object)
     rescue Exception => e
       logger.error e.message
diff --git a/app/controllers/tickets_controller.rb b/app/controllers/tickets_controller.rb
index ecd5a144f..fe1c5dc08 100644
--- a/app/controllers/tickets_controller.rb
+++ b/app/controllers/tickets_controller.rb
@@ -53,7 +53,7 @@ class TicketsController < ApplicationController
     if params[:article]
       form_id  = params[:article][:form_id]
       params[:article].delete(:form_id)
-      @article = Ticket::Article.new( params[:article] )
+      @article = Ticket::Article.new( Ticket::Article.param_validation( params[:article] ) )
       @article.ticket_id     = @ticket.id
 
       # find attachments in upload cache
diff --git a/config/application.rb b/config/application.rb
index 660fa2180..9e9c33930 100644
--- a/config/application.rb
+++ b/config/application.rb
@@ -79,11 +79,5 @@ module Zammad
     # REST api path
     config.api_path = '/api/v1'
 
-    # Enable threaded mode
-    config.threadsafe!
-
-    # catch all router files
-    config.paths['config/routes'] += Dir[Rails.root.join("config/routes/*.rb")]
-
   end
-end
+end
\ No newline at end of file
diff --git a/config/environments/development.rb b/config/environments/development.rb
index c9d05dbe1..c3c5b2862 100644
--- a/config/environments/development.rb
+++ b/config/environments/development.rb
@@ -6,9 +6,6 @@ Zammad::Application.configure do
   # since you don't have to restart the web server when you make code changes.
   config.cache_classes = false
 
-  # Log error messages when you accidentally call methods on nil.
-  config.whiny_nils = true
-
   # Show full error reports and disable caching
   config.consider_all_requests_local       = true
   config.action_controller.perform_caching = false
diff --git a/config/environments/test.rb b/config/environments/test.rb
index f3e3b8f66..8e7ee2ef8 100644
--- a/config/environments/test.rb
+++ b/config/environments/test.rb
@@ -15,9 +15,6 @@ Zammad::Application.configure do
   config.assets.compile = true
   config.assets.digest = true
 
-  # Log error messages when you accidentally call methods on nil
-  config.whiny_nils = true
-
   # Show full error reports and disable caching
   config.consider_all_requests_local       = true
   config.action_controller.perform_caching = true
diff --git a/config/routes.rb b/config/routes.rb
index ecf3f32e4..58108ab4e 100644
--- a/config/routes.rb
+++ b/config/routes.rb
@@ -8,4 +8,11 @@ Zammad::Application.routes.draw do
   # just remember to delete public/index.html.
   root :to => 'init#index', :via => :get
 
+  # load routes from external files
+  dir = File.expand_path('../', __FILE__)
+  files = Dir.glob( "#{dir}/routes/*.rb" )
+  for file in files
+    require file
+  end
+
 end
\ No newline at end of file