7ew2da
Last Updated: February 25, 2016
·
1.218K
· subosito

Simple but mostly forgotten by many people, securing secret_token.rb

If you google secret_token.rb -ENV site:github.com or search on github `https://github.com/search?l=Ruby&p=1&q=application.config.secret_token+%3D+%27&ref=searchbar&type=Code mostly you'll find the repositories has secret_token.rb file unchanged. I mean it's exactly like rails generator generated.

Almost of us don't care about the file which required to signing and verifying cookies, and potentially to be a victim of hacking attempts.

How to secure secure_token.rb? you can change the content of secret_token.rb into something like:

if Rails.env.production? && ENV['SECRET_TOKEN'].blank?
  raise 'SECRET_TOKEN variable must be set!'
end

HugeDom::Application.config.secret_token = ENV['SECRET_TOKEN'] || '136b3dcb87ea330e09bb..........3d60d69cb5b34f1'

Then we can add ENV based configuration to set SECRET_TOKEN. If you are using foreman, you can use .env file:

SECRET_TOKEN=ca9b8d74171dfc1fa26..........61d12edac3e

Or if you are using YAML based configuration like figaro, you can add on the application.yml

production:
  SECRET_TOKEN: a9b8d74171dfc1fa26..........61d12edac3e

Ensure there is no .env or application.yml on your repository, add to your .gitignore.