diff --git a/Gemfile b/Gemfile
index 26190991318..672421b9b7a 100644
--- a/Gemfile
+++ b/Gemfile
@@ -33,8 +33,9 @@ ruby '~> 2.5.1'
 gem 'actionpack-xml_parser', '~> 2.0.0'
 gem 'activemodel-serializers-xml', '~> 1.0.1'
 gem 'activerecord-session_store', '~> 1.1.0'
-gem 'rails', '~> 5.1.6'
+gem 'rails', '~> 5.2.1'
 gem 'responders', '~> 2.4'
+gem "listen", "~> 3.1" # Use for event-based reloaders
 
 gem 'rubytree', git: 'https://github.com/dr0verride/RubyTree.git', ref: '06f53ee'
 gem 'rdoc', '>= 2.4.2'
@@ -118,7 +119,7 @@ gem 'rack-protection', '~> 2.0.0'
 gem 'rack-attack', '~> 5.2.0'
 
 # CSP headers
-gem 'secure_headers', '~> 5.0.5'
+gem 'secure_headers', '~> 6.0.0'
 
 # Providing health checks
 gem 'okcomputer', '~> 1.16.0'
diff --git a/Gemfile.lock b/Gemfile.lock
index 9862bff9e05..1a08c1e1757 100644
--- a/Gemfile.lock
+++ b/Gemfile.lock
@@ -80,7 +80,6 @@ PATH
   specs:
     openproject-auth_plugins (8.2.0)
       omniauth (~> 1.0)
-      rails (~> 5.0)
 
 PATH
   remote: modules/avatars
@@ -88,7 +87,6 @@ PATH
     openproject-avatars (8.2.0)
       fastimage (~> 2.1.0)
       gravatar_image_tag (~> 1.2.0)
-      rails (~> 5.0)
 
 PATH
   remote: modules/backlogs
@@ -112,7 +110,6 @@ PATH
   specs:
     openproject-github_integration (8.2.0)
       openproject-webhooks
-      rails (~> 5.0)
 
 PATH
   remote: modules/global_roles
@@ -137,7 +134,6 @@ PATH
       lobby_boy (~> 0.1.3)
       omniauth-openid_connect-providers (~> 0.1)
       openproject-auth_plugins (~> 8.0)
-      rails (~> 5.0)
 
 PATH
   remote: modules/pdf_export
@@ -151,7 +147,6 @@ PATH
   specs:
     reporting_engine (8.2.0)
       json
-      rails (~> 5.1.0)
 
 PATH
   remote: modules/reporting
@@ -167,14 +162,12 @@ PATH
     openproject-two_factor_authentication (8.2.0)
       aws-sdk-sns (~> 1.1.0)
       messagebird-rest (~> 1.3.2)
-      rails (~> 5)
       rotp (~> 3.3)
 
 PATH
   remote: modules/webhooks
   specs:
     openproject-webhooks (8.2.0)
-      rails (~> 5.0)
 
 PATH
   remote: modules/xls_export
@@ -186,19 +179,19 @@ GEM
   remote: https://rubygems.org/
   specs:
     Ascii85 (1.0.3)
-    actioncable (5.1.6.1)
-      actionpack (= 5.1.6.1)
+    actioncable (5.2.1)
+      actionpack (= 5.2.1)
       nio4r (~> 2.0)
-      websocket-driver (~> 0.6.1)
-    actionmailer (5.1.6.1)
-      actionpack (= 5.1.6.1)
-      actionview (= 5.1.6.1)
-      activejob (= 5.1.6.1)
+      websocket-driver (>= 0.6.1)
+    actionmailer (5.2.1)
+      actionpack (= 5.2.1)
+      actionview (= 5.2.1)
+      activejob (= 5.2.1)
       mail (~> 2.5, >= 2.5.4)
       rails-dom-testing (~> 2.0)
-    actionpack (5.1.6.1)
-      actionview (= 5.1.6.1)
-      activesupport (= 5.1.6.1)
+    actionpack (5.2.1)
+      actionview (= 5.2.1)
+      activesupport (= 5.2.1)
       rack (~> 2.0)
       rack-test (>= 0.6.3)
       rails-dom-testing (~> 2.0)
@@ -206,34 +199,38 @@ GEM
     actionpack-xml_parser (2.0.1)
       actionpack (>= 5.0)
       railties (>= 5.0)
-    actionview (5.1.6.1)
-      activesupport (= 5.1.6.1)
+    actionview (5.2.1)
+      activesupport (= 5.2.1)
       builder (~> 3.1)
       erubi (~> 1.4)
       rails-dom-testing (~> 2.0)
       rails-html-sanitizer (~> 1.0, >= 1.0.3)
     active_record_query_trace (1.5.4)
-    activejob (5.1.6.1)
-      activesupport (= 5.1.6.1)
+    activejob (5.2.1)
+      activesupport (= 5.2.1)
       globalid (>= 0.3.6)
-    activemodel (5.1.6.1)
-      activesupport (= 5.1.6.1)
+    activemodel (5.2.1)
+      activesupport (= 5.2.1)
     activemodel-serializers-xml (1.0.1)
       activemodel (> 5.x)
       activerecord (> 5.x)
       activesupport (> 5.x)
       builder (~> 3.1)
-    activerecord (5.1.6.1)
-      activemodel (= 5.1.6.1)
-      activesupport (= 5.1.6.1)
-      arel (~> 8.0)
+    activerecord (5.2.1)
+      activemodel (= 5.2.1)
+      activesupport (= 5.2.1)
+      arel (>= 9.0)
     activerecord-session_store (1.1.1)
       actionpack (>= 4.0)
       activerecord (>= 4.0)
       multi_json (~> 1.11, >= 1.11.2)
       rack (>= 1.5.2, < 3)
       railties (>= 4.0)
-    activesupport (5.1.6.1)
+    activestorage (5.2.1)
+      actionpack (= 5.2.1)
+      activerecord (= 5.2.1)
+      marcel (~> 0.3.1)
+    activesupport (5.2.1)
       concurrent-ruby (~> 1.0, >= 1.0.2)
       i18n (>= 0.7, < 2)
       minitest (~> 5.1)
@@ -252,13 +249,13 @@ GEM
     airbrake-ruby (1.5.0)
     archive-zip (0.11.0)
       io-like (~> 0.3.0)
-    arel (8.0.0)
+    arel (9.0.0)
     ast (2.4.0)
     attr_required (1.0.1)
     autoprefixer-rails (7.1.5)
       execjs
-    awesome_nested_set (3.1.3)
-      activerecord (>= 4.0.0, < 5.2)
+    awesome_nested_set (3.1.4)
+      activerecord (>= 4.0.0, < 5.3)
     aws-partitions (1.82.0)
     aws-sdk-core (3.20.2)
       aws-partitions (~> 1.0)
@@ -364,10 +361,10 @@ GEM
     declarative-builder (0.1.0)
       declarative-option (< 0.2.0)
     declarative-option (0.1.0)
-    delayed_job (4.1.4)
-      activesupport (>= 3.0, < 5.2)
-    delayed_job_active_record (4.1.2)
-      activerecord (>= 3.0, < 5.2)
+    delayed_job (4.1.5)
+      activesupport (>= 3.0, < 5.3)
+    delayed_job_active_record (4.1.3)
+      activerecord (>= 3.0, < 5.3)
       delayed_job (>= 3.0, < 5)
     descendants_tracker (0.0.4)
       thread_safe (~> 0.3, >= 0.3.1)
@@ -415,7 +412,7 @@ GEM
       fog-core
       nokogiri (~> 1.5, >= 1.5.11)
     formatador (0.2.5)
-    friendly_id (5.2.3)
+    friendly_id (5.2.4)
       activerecord (>= 4.0.0)
     fuubar (2.3.1)
       rspec-core (~> 3.0)
@@ -474,6 +471,10 @@ GEM
       addressable (~> 2.3)
     letter_opener (1.4.1)
       launchy (~> 2.2)
+    listen (3.1.5)
+      rb-fsevent (~> 0.9, >= 0.9.4)
+      rb-inotify (~> 0.9, >= 0.9.7)
+      ruby_dep (~> 1.2)
     livingstyleguide (2.0.2)
       minisyntax (>= 0.2.5)
       redcarpet
@@ -489,14 +490,17 @@ GEM
       nokogiri (>= 1.5.9)
     mail (2.7.1)
       mini_mime (>= 0.1.1)
+    marcel (0.3.3)
+      mimemagic (~> 0.3.2)
     messagebird-rest (1.3.3)
     meta-tags (2.6.0)
       actionpack (>= 3.2.0, < 5.3)
-    method_source (0.9.2)
+    method_source (0.9.1)
     mime-types (3.2.2)
       mime-types-data (~> 3.2015)
     mime-types-data (3.2018.0812)
-    mini_mime (1.0.1)
+    mimemagic (0.3.2)
+    mini_mime (1.0.0)
     mini_portile2 (2.3.0)
     minisyntax (0.2.5)
     minitest (5.11.3)
@@ -598,17 +602,18 @@ GEM
     rack_session_access (0.2.0)
       builder (>= 2.0.0)
       rack (>= 1.0.0)
-    rails (5.1.6.1)
-      actioncable (= 5.1.6.1)
-      actionmailer (= 5.1.6.1)
-      actionpack (= 5.1.6.1)
-      actionview (= 5.1.6.1)
-      activejob (= 5.1.6.1)
-      activemodel (= 5.1.6.1)
-      activerecord (= 5.1.6.1)
-      activesupport (= 5.1.6.1)
+    rails (5.2.1)
+      actioncable (= 5.2.1)
+      actionmailer (= 5.2.1)
+      actionpack (= 5.2.1)
+      actionview (= 5.2.1)
+      activejob (= 5.2.1)
+      activemodel (= 5.2.1)
+      activerecord (= 5.2.1)
+      activestorage (= 5.2.1)
+      activesupport (= 5.2.1)
       bundler (>= 1.3.0)
-      railties (= 5.1.6.1)
+      railties (= 5.2.1)
       sprockets-rails (>= 2.0.0)
     rails-controller-testing (1.0.2)
       actionpack (~> 5.x, >= 5.0.1)
@@ -624,12 +629,12 @@ GEM
       rails_stdout_logging
     rails_serve_static_assets (0.0.5)
     rails_stdout_logging (0.0.5)
-    railties (5.1.6.1)
-      actionpack (= 5.1.6.1)
-      activesupport (= 5.1.6.1)
+    railties (5.2.1)
+      actionpack (= 5.2.1)
+      activesupport (= 5.2.1)
       method_source
       rake (>= 0.8.7)
-      thor (>= 0.18.1, < 2.0)
+      thor (>= 0.19.0, < 2.0)
     rainbow (3.0.0)
     raindrops (0.19.0)
     rake (12.3.1)
@@ -708,6 +713,7 @@ GEM
     ruby-rc4 (0.1.5)
     ruby-saml (1.9.0)
       nokogiri (>= 1.5.10)
+    ruby_dep (1.5.0)
     rubyzip (1.2.2)
     safe_yaml (1.0.4)
     sanitize (4.6.4)
@@ -725,7 +731,7 @@ GEM
       sprockets (>= 2.8, < 4.0)
       sprockets-rails (>= 2.0, < 4.0)
       tilt (>= 1.1, < 3)
-    secure_headers (5.0.5)
+    secure_headers (6.0.0)
       useragent (>= 0.15.0)
     selenium-webdriver (3.141.0)
       childprocess (~> 0.5)
@@ -807,7 +813,7 @@ GEM
       addressable (>= 2.3.6)
       crack (>= 0.3.2)
       hashdiff
-    websocket-driver (0.6.5)
+    websocket-driver (0.7.0)
       websocket-extensions (>= 0.1.0)
     websocket-extensions (0.1.3)
     will_paginate (3.1.6)
@@ -865,6 +871,7 @@ DEPENDENCIES
   json_spec (~> 1.1.4)
   launchy (~> 2.4.3)
   letter_opener
+  listen (~> 3.1)
   livingstyleguide (~> 2.0.1)
   meta-tags (~> 2.6.0)
   multi_json (~> 1.12.1)
@@ -912,7 +919,7 @@ DEPENDENCIES
   rack-protection (~> 2.0.0)
   rack-test (~> 1.0.0)
   rack_session_access
-  rails (~> 5.1.6)
+  rails (~> 5.2.1)
   rails-controller-testing (~> 1.0.2)
   rails_12factor
   rdoc (>= 2.4.2)
@@ -940,7 +947,7 @@ DEPENDENCIES
   sanitize (~> 4.6.0)
   sass (= 3.5.1)
   sass-rails (~> 5.0.6)
-  secure_headers (~> 5.0.5)
+  secure_headers (~> 6.0.0)
   selenium-webdriver (~> 3.14)
   semantic (~> 1.6.1)
   shoulda-context (~> 1.2)
diff --git a/app/helpers/hide_sections_helper.rb b/app/helpers/hide_sections_helper.rb
index f76dd75e007..4329db7b492 100644
--- a/app/helpers/hide_sections_helper.rb
+++ b/app/helpers/hide_sections_helper.rb
@@ -37,6 +37,8 @@ module HideSectionsHelper
       }
     )
 
-    include_gon(nonce: content_security_policy_script_nonce, camel_case: true, camel_depth: 15)
+    nonced_javascript_tag do
+      include_gon(need_tag: false, nonce: content_security_policy_script_nonce, camel_case: true, camel_depth: 15)
+    end
   end
 end
diff --git a/app/models/concerns/virtual_attribute.rb b/app/models/concerns/virtual_attribute.rb
index 57cafe5a78a..5cfb9b15493 100644
--- a/app/models/concerns/virtual_attribute.rb
+++ b/app/models/concerns/virtual_attribute.rb
@@ -91,12 +91,12 @@ module Concerns
       # Using attribute_will_change! does not place the value in the tracker but merely forces
       # the attribute to be returned when asking the object for changes.
       def set_virtual_attribute_was(attribute, value)
-        attributes = mutation_tracker.send(:attributes)
+        attributes = mutations_from_database.send(:attributes)
         attributes[attribute.to_s].instance_variable_set(:@value_before_type_cast, value)
       end
 
       def set_virtual_attribute(attribute, value)
-        attributes = mutation_tracker.send(:attributes)
+        attributes = mutations_from_database.send(:attributes)
         attributes[attribute.to_s] = attributes[attribute.to_s].with_value_from_user(value)
       end
     end
diff --git a/app/views/boards/show.html.erb b/app/views/boards/show.html.erb
index 94a89e175f2..6d7bcfe9086 100644
--- a/app/views/boards/show.html.erb
+++ b/app/views/boards/show.html.erb
@@ -27,7 +27,9 @@ See docs/COPYRIGHT.rdoc for more details.
 
 ++#%>
 
-<%= include_gon(nonce: content_security_policy_nonce(:script)) %>
+<%= nonced_javascript_tag do %>
+  <%= include_gon(need_tag: false) -%>
+<% end %>
 
 <div id="add-message" style="display:none;">
   <% if authorize_for('messages', 'new') %>
diff --git a/app/views/layouts/angular.html.erb b/app/views/layouts/angular.html.erb
index 0dbb6e7d5a6..aa431655b44 100644
--- a/app/views/layouts/angular.html.erb
+++ b/app/views/layouts/angular.html.erb
@@ -28,7 +28,9 @@ See docs/COPYRIGHT.rdoc for more details.
 ++#%>
 
 <%= content_for :header_tags do %>
-  <%= include_gon(nonce: content_security_policy_script_nonce) %>
+  <%= nonced_javascript_tag do %>
+    <%= include_gon(need_tag: false) -%>
+  <% end %>
   <!-- plug-in specific tags -->
   <%= call_hook :view_work_package_overview_attributes %>
 <% end -%>
diff --git a/app/views/my/page_layout.html.erb b/app/views/my/page_layout.html.erb
index 8080d9e4f9b..76d8db71764 100644
--- a/app/views/my/page_layout.html.erb
+++ b/app/views/my/page_layout.html.erb
@@ -27,7 +27,9 @@ See docs/COPYRIGHT.rdoc for more details.
 
 ++#%>
 <%= javascript_include_tag 'my_page' %>
-<%= include_gon(nonce: content_security_policy_nonce(:script)) %>
+<%= nonced_javascript_tag do %>
+  <%= include_gon(need_tag: false) -%>
+<% end %>
 
 <%= toolbar title: l(:label_my_page) do %>
   <%= styled_form_tag({ action: "add_block" }, class: 'my-page--block-form') do %>
diff --git a/app/views/timelog/index.html.erb b/app/views/timelog/index.html.erb
index 28e8b52a5ee..d4318e98eeb 100644
--- a/app/views/timelog/index.html.erb
+++ b/app/views/timelog/index.html.erb
@@ -27,7 +27,9 @@ See docs/COPYRIGHT.rdoc for more details.
 
 ++#%>
 
-<%= include_gon(nonce: content_security_policy_script_nonce) %>
+<%= nonced_javascript_tag do %>
+  <%= include_gon(need_tag: false) -%>
+<% end %>
 
 <%= toolbar title: l(:label_spent_time) do %>
   <% if User.current.allowed_to?({controller: :timelog, action: :new}, @project) %>
diff --git a/bin/bundle b/bin/bundle
index 66e9889e8b4..f19acf5b5cc 100755
--- a/bin/bundle
+++ b/bin/bundle
@@ -1,3 +1,3 @@
 #!/usr/bin/env ruby
-ENV['BUNDLE_GEMFILE'] ||= File.expand_path('../../Gemfile', __FILE__)
+ENV['BUNDLE_GEMFILE'] ||= File.expand_path('../Gemfile', __dir__)
 load Gem.bin_path('bundler', 'bundle')
diff --git a/bin/rails b/bin/rails
index 5191e6927af..07396602377 100755
--- a/bin/rails
+++ b/bin/rails
@@ -1,4 +1,4 @@
 #!/usr/bin/env ruby
-APP_PATH = File.expand_path('../../config/application', __FILE__)
+APP_PATH = File.expand_path('../config/application', __dir__)
 require_relative '../config/boot'
 require 'rails/commands'
diff --git a/config/application.rb b/config/application.rb
index 93a6e6b8ce0..8117d3260cd 100644
--- a/config/application.rb
+++ b/config/application.rb
@@ -27,7 +27,7 @@
 # See docs/COPYRIGHT.rdoc for more details.
 #++
 
-require File.expand_path('../boot', __FILE__)
+require_relative 'boot'
 
 require 'benchmark'
 module SimpleBenchmark
diff --git a/config/boot.rb b/config/boot.rb
index a31d2c0098e..4d189e2a8f4 100644
--- a/config/boot.rb
+++ b/config/boot.rb
@@ -38,20 +38,4 @@ end
 
 require 'bundler/setup' # Set up gems listed in the Gemfile.
 
-# Rails is not yet loaded here
-if ENV['RAILS_ENV'] == 'development'
-  $stderr.puts "Starting with bootsnap."
-
-  require 'bootsnap'
-
-  is_mac = RUBY_PLATFORM.include? 'darwin'
-  Bootsnap.setup(
-    cache_dir:            'tmp/cache', # Path to your cache
-    development_mode:     true,
-    load_path_cache:      true,        # Should we optimize the LOAD_PATH with a cache?
-    autoload_paths_cache: true,        # Should we optimize ActiveSupport autoloads with cache?
-    disable_trace:        false,       # Sets `RubyVM::InstructionSequence.compile_option = { trace_instruction: false }`
-    compile_cache_iseq:   is_mac,      # Should compile Ruby code into ISeq cache?
-    compile_cache_yaml:   is_mac       # Should compile YAML into a cache?
-  )
-end
+require 'bootsnap/setup' # Speed up boot time by caching expensive operations.
diff --git a/config/environment.rb b/config/environment.rb
index dbee2d20c95..dc3f9663ffc 100644
--- a/config/environment.rb
+++ b/config/environment.rb
@@ -28,7 +28,7 @@
 #++
 
 # Load the Rails application.
-require File.expand_path('../application', __FILE__)
+require_relative 'application'
 
 # Initialize the Rails application.
 OpenProject::Application.initialize!
diff --git a/config/environments/development.rb b/config/environments/development.rb
index 330268ef5a7..61aef1b2325 100644
--- a/config/environments/development.rb
+++ b/config/environments/development.rb
@@ -41,12 +41,21 @@ OpenProject::Application.configure do
   # Do not eager load code on boot.
   config.eager_load = false
 
+  # Asynchronous file watcher
+  config.file_watcher = ActiveSupport::EventedFileUpdateChecker
+
+  # Store uploaded files on the local file system (see config/storage.yml for options)
+  config.active_storage.service = :local
+
   # Show full error reports
-  config.consider_all_requests_local       = true
+  config.consider_all_requests_local = true
 
   # Enable caching in development
   config.action_controller.perform_caching = true
 
+  # Don't perform caching for Action Mailer in development
+  config.action_mailer.perform_caching = false
+
   # Don't care if the mailer can't send.
   config.action_mailer.raise_delivery_errors = false
 
@@ -56,6 +65,9 @@ OpenProject::Application.configure do
   # Raise an error on page load if there are pending migrations
   config.active_record.migration_error = :page_load
 
+  # Highlight code that triggered database queries in logs.
+  config.active_record.verbose_query_logs = true
+
   # Disable compression and asset digests, but disable debug
   config.assets.debug = false
   config.assets.digest = false
diff --git a/config/environments/production.rb b/config/environments/production.rb
index bde1b4cdfe3..3cc1eb4e431 100644
--- a/config/environments/production.rb
+++ b/config/environments/production.rb
@@ -46,13 +46,14 @@ OpenProject::Application.configure do
   config.consider_all_requests_local       = false
   config.action_controller.perform_caching = true
 
-  # Enable Rack::Cache to put a simple HTTP cache in front of your application
-  # Add `rack-cache` to your Gemfile before enabling this.
-  # For large-scale production use, consider using a caching reverse proxy like nginx, varnish or squid.
-  # config.action_dispatch.rack_cache = true
+  # Ensures that a master key has been made available in either ENV["RAILS_MASTER_KEY"]
+  # or in config/master.key. This key is used to decrypt credentials (and other encrypted files).
+  # config.require_master_key = true
 
   # Enable Rails's static asset server when requested
-  config.public_file_server.enabled = false
+  # Disable serving static files from the `/public` folder by default since
+  # Apache or NGINX already handles this.
+  config.public_file_server.enabled = ENV['RAILS_SERVE_STATIC_FILES'].present?
 
   # Compress JavaScripts and CSS.
   config.assets.js_compressor = nil
@@ -71,6 +72,9 @@ OpenProject::Application.configure do
   # config.action_dispatch.x_sendfile_header = "X-Sendfile" # for apache
   # config.action_dispatch.x_sendfile_header = 'X-Accel-Redirect' # for nginx
 
+  # Store uploaded files on the local file system (see config/storage.yml for options)
+  # config.active_storage.service = :local
+
   # Force all access to the app over SSL, use Strict-Transport-Security, and use secure cookies.
   config.force_ssl = ActiveModel::Type::Boolean.new.cast(OpenProject::Configuration['rails_force_ssl'])
   config.ssl_options = {
@@ -110,10 +114,17 @@ OpenProject::Application.configure do
   config.active_support.deprecation = :notify
 
   # Disable automatic flushing of the log to improve performance.
-  # config.autoflush_log = false
+  config.autoflush_log = false
 
   # Use default logging formatter so that PID and timestamp are not suppressed.
   config.log_formatter = ::Logger::Formatter.new
 
+  if ENV["RAILS_LOG_TO_STDOUT"].present?
+    logger           = ActiveSupport::Logger.new(STDOUT)
+    logger.formatter = config.log_formatter
+    config.logger    = ActiveSupport::TaggedLogging.new(logger)
+  end
+
+
   config.active_record.dump_schema_after_migration = false
 end
diff --git a/config/initializers/30-redmine.rb b/config/initializers/30-redmine.rb
index 82b5b0dd5ef..c01ce8a427f 100644
--- a/config/initializers/30-redmine.rb
+++ b/config/initializers/30-redmine.rb
@@ -39,4 +39,3 @@ if Setting.table_exists? # don't want to prevent migrations
 end
 
 require 'open_project'
-require 'chili_project'
diff --git a/config/initializers/active_record_query_trace.rb b/config/initializers/active_record_query_trace.rb
deleted file mode 100644
index 58917029c56..00000000000
--- a/config/initializers/active_record_query_trace.rb
+++ /dev/null
@@ -1,5 +0,0 @@
-if Rails.env.development?
-  ActiveRecordQueryTrace.enabled = true
-  ActiveRecordQueryTrace.lines = 1
-  ActiveRecordQueryTrace.colorize = 'light purple'
-end
diff --git a/config/initializers/application_controller_renderer.rb b/config/initializers/application_controller_renderer.rb
new file mode 100644
index 00000000000..89d2efab2ba
--- /dev/null
+++ b/config/initializers/application_controller_renderer.rb
@@ -0,0 +1,8 @@
+# Be sure to restart your server when you modify this file.
+
+# ActiveSupport::Reloader.to_prepare do
+#   ApplicationController.renderer.defaults.merge!(
+#     http_host: 'example.org',
+#     https: false
+#   )
+# end
diff --git a/config/initializers/callback_terminator.rb b/config/initializers/callback_terminator.rb
deleted file mode 100644
index 704651d1a7c..00000000000
--- a/config/initializers/callback_terminator.rb
+++ /dev/null
@@ -1,38 +0,0 @@
-#-- encoding: UTF-8
-#-- copyright
-# OpenProject is a project management system.
-# Copyright (C) 2012-2018 the OpenProject Foundation (OPF)
-#
-# This program is free software; you can redistribute it and/or
-# modify it under the terms of the GNU General Public License version 3.
-#
-# OpenProject is a fork of ChiliProject, which is a fork of Redmine. The copyright follows:
-# Copyright (C) 2006-2017 Jean-Philippe Lang
-# Copyright (C) 2010-2013 the ChiliProject Team
-#
-# This program is free software; you can redistribute it and/or
-# modify it under the terms of the GNU General Public License
-# as published by the Free Software Foundation; either version 2
-# of the License, or (at your option) any later version.
-#
-# This program is distributed in the hope that it will be useful,
-# but WITHOUT ANY WARRANTY; without even the implied warranty of
-# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
-# GNU General Public License for more details.
-#
-# You should have received a copy of the GNU General Public License
-# along with this program; if not, write to the Free Software
-# Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA  02110-1301, USA.
-#
-# See docs/COPYRIGHT.rdoc for more details.
-#++
-
-# This configuration was added so that we do not accidentially pass a filter chain
-# because it was not yet updated
-#
-# We'll have to look out for deprecation warnings like:
-#
-# DEPRECATION WARNING: Returning `false` in Active Record and Active Model callbacks
-# will not implicitly halt a callback chain in the next release of Rails.
-# To explicitly halt the callback chain, please use `throw :abort` instead.
-ActiveSupport.halt_callback_chains_on_return_false = true
diff --git a/config/initializers/content_security_policy.rb b/config/initializers/content_security_policy.rb
new file mode 100644
index 00000000000..d3bcaa5ec84
--- /dev/null
+++ b/config/initializers/content_security_policy.rb
@@ -0,0 +1,25 @@
+# Be sure to restart your server when you modify this file.
+
+# Define an application-wide content security policy
+# For further information see the following documentation
+# https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/Content-Security-Policy
+
+# Rails.application.config.content_security_policy do |policy|
+#   policy.default_src :self, :https
+#   policy.font_src    :self, :https, :data
+#   policy.img_src     :self, :https, :data
+#   policy.object_src  :none
+#   policy.script_src  :self, :https
+#   policy.style_src   :self, :https
+
+#   # Specify URI for violation reports
+#   # policy.report_uri "/csp-violation-report-endpoint"
+# end
+
+# If you are using UJS then enable automatic nonce generation
+# Rails.application.config.content_security_policy_nonce_generator = -> request { SecureRandom.base64(16) }
+
+# Report CSP violations to a specified URI
+# For further information see the following documentation:
+# https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/Content-Security-Policy-Report-Only
+# Rails.application.config.content_security_policy_report_only = true
diff --git a/config/initializers/cookies_serializer.rb b/config/initializers/cookies_serializer.rb
new file mode 100644
index 00000000000..1389e86a34a
--- /dev/null
+++ b/config/initializers/cookies_serializer.rb
@@ -0,0 +1,5 @@
+# Be sure to restart your server when you modify this file.
+
+# Specify a serializer for the signed and encrypted cookie jars.
+# Valid options are :json, :marshal, and :hybrid.
+Rails.application.config.action_dispatch.cookies_serializer = :marshal
diff --git a/config/initializers/new_framework_defaults_5_2.rb b/config/initializers/new_framework_defaults_5_2.rb
new file mode 100644
index 00000000000..d3854107d3b
--- /dev/null
+++ b/config/initializers/new_framework_defaults_5_2.rb
@@ -0,0 +1,38 @@
+# Be sure to restart your server when you modify this file.
+#
+# This file contains migration options to ease your Rails 5.2 upgrade.
+#
+# Once upgraded flip defaults one by one to migrate to the new default.
+#
+# Read the Guide for Upgrading Ruby on Rails for more info on each option.
+
+# Make Active Record use stable #cache_key alongside new #cache_version method.
+# This is needed for recyclable cache keys.
+# Rails.application.config.active_record.cache_versioning = true
+
+# Use AES-256-GCM authenticated encryption for encrypted cookies.
+# Also, embed cookie expiry in signed or encrypted cookies for increased security.
+#
+# This option is not backwards compatible with earlier Rails versions.
+# It's best enabled when your entire app is migrated and stable on 5.2.
+#
+# Existing cookies will be converted on read then written with the new scheme.
+Rails.application.config.action_dispatch.use_authenticated_cookie_encryption = true
+
+# Use AES-256-GCM authenticated encryption as default cipher for encrypting messages
+# instead of AES-256-CBC, when use_authenticated_message_encryption is set to true.
+Rails.application.config.active_support.use_authenticated_message_encryption = true
+
+# Add default protection from forgery to ActionController::Base instead of in
+# ApplicationController.
+# Rails.application.config.action_controller.default_protect_from_forgery = true
+
+# Store boolean values are in sqlite3 databases as 1 and 0 instead of 't' and
+# 'f' after migrating old data.
+# Rails.application.config.active_record.sqlite3.represent_boolean_as_integer = true
+
+# Use SHA-1 instead of MD5 to generate non-sensitive digests, such as the ETag header.
+Rails.application.config.active_support.use_sha1_digests = true
+
+# Make `form_with` generate id attributes for any generated HTML tags.
+# Rails.application.config.action_view.form_with_generates_ids = true
diff --git a/config/storage.yml b/config/storage.yml
new file mode 100644
index 00000000000..d32f76e8fbf
--- /dev/null
+++ b/config/storage.yml
@@ -0,0 +1,34 @@
+test:
+  service: Disk
+  root: <%= Rails.root.join("tmp/storage") %>
+
+local:
+  service: Disk
+  root: <%= Rails.root.join("storage") %>
+
+# Use rails credentials:edit to set the AWS secrets (as aws:access_key_id|secret_access_key)
+# amazon:
+#   service: S3
+#   access_key_id: <%= Rails.application.credentials.dig(:aws, :access_key_id) %>
+#   secret_access_key: <%= Rails.application.credentials.dig(:aws, :secret_access_key) %>
+#   region: us-east-1
+#   bucket: your_own_bucket
+
+# Remember not to checkin your GCS keyfile to a repository
+# google:
+#   service: GCS
+#   project: your_project
+#   credentials: <%= Rails.root.join("path/to/gcs.keyfile") %>
+#   bucket: your_own_bucket
+
+# Use rails credentials:edit to set the Azure Storage secret (as azure_storage:storage_access_key)
+# microsoft:
+#   service: AzureStorage
+#   storage_account_name: your_account_name
+#   storage_access_key: <%= Rails.application.credentials.dig(:azure_storage, :storage_access_key) %>
+#   container: your_container_name
+
+# mirror:
+#   service: Mirror
+#   primary: local
+#   mirrors: [ amazon, google, microsoft ]
diff --git a/db/migrate/10000000000000_to_v710_aggregated_migrations.rb b/db/migrate/10000000000000_to_v710_aggregated_migrations.rb
index 4293312faac..2e2f720883b 100644
--- a/db/migrate/10000000000000_to_v710_aggregated_migrations.rb
+++ b/db/migrate/10000000000000_to_v710_aggregated_migrations.rb
@@ -190,7 +190,7 @@ class ToV710AggregatedMigrations < ActiveRecord::Migration[5.1]
   end
 
   def all_versions
-    @all_versions ||= ActiveRecord::Migrator.get_all_versions
+    @all_versions ||= ActiveRecord::Base.connection.migration_context.get_all_versions
   end
 
   def schema_migrations_table_name
diff --git a/frontend/doc/LEGACY.md b/frontend/doc/LEGACY.md
index 6e6d494fdbf..413fe1eafc5 100644
--- a/frontend/doc/LEGACY.md
+++ b/frontend/doc/LEGACY.md
@@ -31,7 +31,9 @@ There are three ways of passing information from Rails to `AngularJS`:
 This is included by all layouts in `<head>`:
 
 ```js
-<%= include_gon(nonce: content_security_policy_nonce(:script)) %>
+<%= nonced_javascript_tag do %>
+  <%= include_gon(need_tag: false) -%>
+<% end %>
 ```
 
 `gon` will provide arbitrary settings from Rails to all JavaScript functionality, including `AngularJS`. In an `angular` context a `ConfigurationService` is provided for picking up the settings.
diff --git a/lib/chili_project.rb b/lib/chili_project.rb
deleted file mode 100644
index 1f01a135e93..00000000000
--- a/lib/chili_project.rb
+++ /dev/null
@@ -1,50 +0,0 @@
-#-- encoding: UTF-8
-#-- copyright
-# OpenProject is a project management system.
-# Copyright (C) 2012-2018 the OpenProject Foundation (OPF)
-#
-# This program is free software; you can redistribute it and/or
-# modify it under the terms of the GNU General Public License version 3.
-#
-# OpenProject is a fork of ChiliProject, which is a fork of Redmine. The copyright follows:
-# Copyright (C) 2006-2017 Jean-Philippe Lang
-# Copyright (C) 2010-2013 the ChiliProject Team
-#
-# This program is free software; you can redistribute it and/or
-# modify it under the terms of the GNU General Public License
-# as published by the Free Software Foundation; either version 2
-# of the License, or (at your option) any later version.
-#
-# This program is distributed in the hope that it will be useful,
-# but WITHOUT ANY WARRANTY; without even the implied warranty of
-# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
-# GNU General Public License for more details.
-#
-# You should have received a copy of the GNU General Public License
-# along with this program; if not, write to the Free Software
-# Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA  02110-1301, USA.
-#
-# See docs/COPYRIGHT.rdoc for more details.
-#++
-
-module ChiliProject
-  VERSION = ActiveSupport::Deprecation::DeprecatedConstantProxy.new(
-    'ChiliProject::VERSION', 'OpenProject::VERSION'
-  )
-
-  Database = ActiveSupport::Deprecation::DeprecatedConstantProxy.new(
-    'ChiliProject::Database', 'OpenProject::Database'
-  )
-
-  module PrincipalAllowanceEvaluator
-    Base = ActiveSupport::Deprecation::DeprecatedConstantProxy.new(
-      'ChiliProject::PrincipalAllowanceEvaluator::Base',
-      'OpenProject::PrincipalAllowanceEvaluator::Base'
-    )
-
-    Default = ActiveSupport::Deprecation::DeprecatedConstantProxy.new(
-      'ChiliProject::PrincipalAllowanceEvaluator::Default',
-      'OpenProject::PrincipalAllowanceEvaluator::Default'
-    )
-  end
-end
diff --git a/lib/generators/open_project/plugin/templates/%full_name%.gemspec.tt b/lib/generators/open_project/plugin/templates/%full_name%.gemspec.tt
index bdd92684660..ab5f31030f3 100644
--- a/lib/generators/open_project/plugin/templates/%full_name%.gemspec.tt
+++ b/lib/generators/open_project/plugin/templates/%full_name%.gemspec.tt
@@ -15,6 +15,4 @@ Gem::Specification.new do |s|
   s.license     = "FIXME" # e.g. "MIT" or "GPLv3"
 
   s.files = Dir["{app,config,db,lib}/**/*"] + %w(CHANGELOG.md README.md)
-
-  s.add_dependency "rails", "~> 5.0"
 end
diff --git a/modules/auth_plugins/openproject-auth_plugins.gemspec b/modules/auth_plugins/openproject-auth_plugins.gemspec
index d49afe976f5..5ab39d48c7f 100644
--- a/modules/auth_plugins/openproject-auth_plugins.gemspec
+++ b/modules/auth_plugins/openproject-auth_plugins.gemspec
@@ -15,7 +15,6 @@ Gem::Specification.new do |s|
 
   s.files = Dir['{app,config,db,lib}/**/*'] + %w(doc/CHANGELOG.md README.md)
 
-  s.add_dependency 'rails', '~> 5.0'
   s.add_dependency 'omniauth', '~> 1.0'
 
   s.add_development_dependency 'rspec', '~> 2.14'
diff --git a/modules/avatars/openproject-local_avatars.gemspec b/modules/avatars/openproject-local_avatars.gemspec
index 3c2ede60f5a..7dad229c5cf 100644
--- a/modules/avatars/openproject-local_avatars.gemspec
+++ b/modules/avatars/openproject-local_avatars.gemspec
@@ -19,7 +19,6 @@ Gem::Specification.new do |s|
   s.files = Dir["{app,config,db,lib}/**/*"] + %w(README.md)
   s.test_files = Dir["spec/**/*"]
 
-  s.add_dependency 'rails', '~> 5.0'
   s.add_dependency 'gravatar_image_tag', '~> 1.2.0'
   s.add_dependency 'fastimage', '~> 2.1.0'
 end
diff --git a/modules/github_integration/openproject-github_integration.gemspec b/modules/github_integration/openproject-github_integration.gemspec
index fcc145c95b8..f4a7f9a97c2 100644
--- a/modules/github_integration/openproject-github_integration.gemspec
+++ b/modules/github_integration/openproject-github_integration.gemspec
@@ -16,7 +16,5 @@ Gem::Specification.new do |s|
 
   s.files = Dir["{app,config,db,doc,lib}/**/*"] + %w(README.md)
 
-  s.add_dependency 'rails', '~> 5.0'
-
   s.add_dependency "openproject-webhooks"
 end
diff --git a/modules/openid_connect/openproject-openid_connect.gemspec b/modules/openid_connect/openproject-openid_connect.gemspec
index 64ca57512e4..d7b0c5b06cf 100644
--- a/modules/openid_connect/openproject-openid_connect.gemspec
+++ b/modules/openid_connect/openproject-openid_connect.gemspec
@@ -16,7 +16,6 @@ Gem::Specification.new do |s|
 
   s.files = Dir['{app,config,db,lib}/**/*'] + %w(CHANGELOG.md README.md)
 
-  s.add_dependency 'rails', '~> 5.0'
   s.add_dependency 'openproject-auth_plugins', '~> 8.0'
   s.add_dependency 'omniauth-openid_connect-providers', '~> 0.1'
   s.add_dependency 'lobby_boy', '~> 0.1.3'
diff --git a/modules/reporting_engine/reporting_engine.gemspec b/modules/reporting_engine/reporting_engine.gemspec
index 233ffdd0037..7da137390d6 100644
--- a/modules/reporting_engine/reporting_engine.gemspec
+++ b/modules/reporting_engine/reporting_engine.gemspec
@@ -17,6 +17,5 @@ Gem::Specification.new do |s|
 
   s.files = Dir["{config, doc, lib}/**/*", "README.md"]
 
-  s.add_dependency 'rails', '~> 5.1.0'
   s.add_dependency "json"
 end
diff --git a/modules/two_factor_authentication/openproject-two_factor_authentication.gemspec b/modules/two_factor_authentication/openproject-two_factor_authentication.gemspec
index d91b335f839..2d5d3f2db05 100644
--- a/modules/two_factor_authentication/openproject-two_factor_authentication.gemspec
+++ b/modules/two_factor_authentication/openproject-two_factor_authentication.gemspec
@@ -21,7 +21,6 @@ Gem::Specification.new do |s|
 
   s.add_dependency 'rotp', '~> 3.3'
   s.add_dependency 'messagebird-rest', '~> 1.3.2'
-  s.add_dependency 'rails', '~> 5'
 
   s.add_dependency 'aws-sdk-sns', '~> 1.1.0'
 end
diff --git a/modules/webhooks/openproject-webhooks.gemspec b/modules/webhooks/openproject-webhooks.gemspec
index eac15f63fc9..32af56cc14b 100644
--- a/modules/webhooks/openproject-webhooks.gemspec
+++ b/modules/webhooks/openproject-webhooks.gemspec
@@ -15,7 +15,4 @@ Gem::Specification.new do |s|
   s.license     = 'GPLv3'
 
   s.files = Dir["{app,config,db,doc,lib}/**/*"] + %w(README.md)
-
-  s.add_dependency 'rails', '~> 5.0'
-  
 end