Last Updated: February 25, 2016
· subosito

Simple but mostly forgotten by many people, securing secret_token.rb

If you google secret_token.rb -ENV or search on github ` mostly you'll find the repositories has secret_token.rb file unchanged. I mean it's exactly like rails generator generated.

Almost of us don't care about the file which required to signing and verifying cookies, and potentially to be a victim of hacking attempts.

How to secure secure_token.rb? you can change the content of secret_token.rb into something like:

if Rails.env.production? && ENV['SECRET_TOKEN'].blank?
  raise 'SECRET_TOKEN variable must be set!'

HugeDom::Application.config.secret_token = ENV['SECRET_TOKEN'] || '136b3dcb87ea330e09bb..........3d60d69cb5b34f1'

Then we can add ENV based configuration to set SECRET_TOKEN. If you are using foreman, you can use .env file:


Or if you are using YAML based configuration like figaro, you can add on the application.yml

  SECRET_TOKEN: a9b8d74171dfc1fa26..........61d12edac3e

Ensure there is no .env or application.yml on your repository, add to your .gitignore.