Simple but mostly forgotten by many people, securing secret_token.rb
If you google secret_token.rb -ENV site:github.com or search on github `https://github.com/search?l=Ruby&p=1&q=application.config.secret_token+%3D+%27&ref=searchbar&type=Code mostly you'll find the repositories has secret_token.rb file unchanged. I mean it's exactly like rails generator generated.
Almost of us don't care about the file which required to signing and verifying cookies, and potentially to be a victim of hacking attempts.
How to secure secure_token.rb? you can change the content of secret_token.rb into something like:
if Rails.env.production? && ENV['SECRET_TOKEN'].blank?
raise 'SECRET_TOKEN variable must be set!'
end
HugeDom::Application.config.secret_token = ENV['SECRET_TOKEN'] || '136b3dcb87ea330e09bb..........3d60d69cb5b34f1'Then we can add ENV based configuration to set SECRET_TOKEN. If you are using foreman, you can use .env file:
SECRET_TOKEN=ca9b8d74171dfc1fa26..........61d12edac3eOr if you are using YAML based configuration like figaro, you can add on the application.yml
production:
SECRET_TOKEN: a9b8d74171dfc1fa26..........61d12edac3eEnsure there is no .env or application.yml on your repository, add to your .gitignore.
Written by Alif Rachmawadi
Related protips
Have a fresh tip? Share with Coderwall community!
