Skip to content

Instantly share code, notes, and snippets.

@Teino1978-Corp

Teino1978-Corp/README.md

Created January 22, 2016 07:49
Show Gist options
  • Save Teino1978-Corp/d8d2e2edbaed191ce72a to your computer and use it in GitHub Desktop.
Save Teino1978-Corp/d8d2e2edbaed191ce72a to your computer and use it in GitHub Desktop.
Download ZIP
How to securely set rails secret key when you deploy to Heroku.
Raw
README.md

Stop Versioning Rails Secret Tokens

After reading Code Climate's Rails' Insecure Defaults I realized I was guilty of breaking rule 3. Versioned Secret Tokens. Here's how I fixed it.

Use dotenv in development and test environments:

# Gemfile
gem 'dotenv-rails', groups: [:development, :test]

Local development key for dotenv:

echo RAILS_SECRET_KEY_BASE=`rake secret` > .env

Secure rails initializer:

# config/initializers/secret_token.rb
YourApp::Application.config.secret_key_base = ENV['RAILS_SECRET_KEY_BASE']

Securely set key on heroku. Keep your key out of your shell history and buffer:

heroku config:set RAILS_SECRET_KEY_BASE=`rake secret` > /dev/null
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment