Skip to content

Security: keep the Rails secret token out of version control.

Created by: smashwilson

This patch stores the secret token in a .gitignored file called ".secret", which is created by the initializer if it doesn't exist. This keeps the Rails session token out of version control and deals with a security vulnerability.

For reference:

http://blog.phusion.nl/2013/01/04/securing-the-rails-session-secret/

http://blog.codeclimate.com/blog/2013/03/27/rails-insecure-defaults/ (Item 3)

Merge request reports

Loading