Security: keep the Rails secret token out of version control. (!4040) · Merge requests · Import/Export Testing Group / gitlabhq_1618880758

Matthias Käppler requested to merge github/fork/smashwilson/generate-secret into master May 23, 2013

Created by: smashwilson

This patch stores the secret token in a .gitignored file called ".secret", which is created by the initializer if it doesn't exist. This keeps the Rails session token out of version control and deals with a security vulnerability.

For reference:

http://blog.phusion.nl/2013/01/04/securing-the-rails-session-secret/

http://blog.codeclimate.com/blog/2013/03/27/rails-insecure-defaults/ (Item 3)

Admin message

Admin message

Security: keep the Rails secret token out of version control.

Merge request reports