I'd never considered that someone might make their staging environment publicly accessible. At the various places I've worked, we've always accomplished that using internal DNS and firewalls. From the inside it looks like a real site.

I guess if you're gonna do some freaky A/B testing this might be a good idea. I dunno, though... it really depends where vulnerability testing occurs in your lifecycle (before, during or after staging).

EDIT: Right, you might make it accessible to the outside world to leverage cloud-based vulnerability-assessment or load-testing tools. All good then.

Generally, I agree.

I worked on one website where we made a pre-prod version public but restricted by IP. We had a load test vendor (whose IPs were whitelisted) hammer the site from locations worldwide. This let us compare latency from, say, APAC vs EMEA.

That solution is fine, as long as your servers and all employees are in the same network (or use a VPN).

For those that work remotely, or use external integration tests for their staging environments, public access is OK.

This seems to be for rails only.

You're right, I edited the title to mention that.