In a new rails project what is the reason mass assignment is not set to strict in production and the reason that it is set to strict in development and test?
You mean this line, I assume:
# Raise exception on mass assignment protection for Active Record models
config.active_record.mass_assignment_sanitizer = :strict
This does not set the mass-assignment protection itself - that defaults to protected regardless of environment. What it does, as the comment hints at, is tell Rails to raise an exception on a mass-assignment error, which helps with development and testing. In production, those are simply ignored.
From the documentation of attr_protected:
Mass-assignment to these attributes will simply be ignored, to assign to them you can use direct writer methods. This is meant to protect sensitive attributes from being overwritten by malicious users tampering with URLs or forms.