If you google
secret_token.rb -ENV site:github.com or search on github `
https://github.com/search?l=Ruby&p=1&q=application.config.secret_token+%3D+%27&ref=searchbar&type=Code mostly you'll find the repositories has
secret_token.rb file unchanged. I mean it's exactly like rails generator generated.
Almost of us don't care about the file which required to signing and verifying cookies, and potentially to be a victim of hacking attempts.
How to secure
secure_token.rb? you can change the content of
secret_token.rb into something like:
if Rails.env.production? && ENV['SECRET_TOKEN'].blank? raise 'SECRET_TOKEN variable must be set!' end HugeDom::Application.config.secret_token = ENV['SECRET_TOKEN'] || '136b3dcb87ea330e09bb..........3d60d69cb5b34f1'
Then we can add
ENV based configuration to set
SECRET_TOKEN. If you are using foreman, you can use
Or if you are using
YAML based configuration like figaro, you can add on the
production: SECRET_TOKEN: a9b8d74171dfc1fa26..........61d12edac3e
Ensure there is no
application.yml on your repository, add to your