Saturday, 28 September 2013

Link: don't publish your secret keys on github

I probably don't really need to tell you that it's dangerous to publish secret keys on a public website... but which key am I talking about here?

  # this one...
  MyApp::Application.config.secret_key_base = 'fb636477f014943b9cf2d202f9da4349a580fbb9521ef38d8dc0111ae933a10bfec732ce7d563a854db1663ba00af1db21d06d6764d84a88d0a6286bcd2299e2'

It's one of those things that often gets overlooked...

  rails new
  git add .
  git push

Bam!

But if you're on heroku, rather than deploying to your own hosted site (where you can easily drop config files into a shared directory), how do you have a secret key?

Here's a great little gist that will show you how to set it up on an environment variable.


Update/gotcha

Don't forget, that if you put more than one of these into your .env file... you need to append to the file or you just overwrote your secret key (oops)


Further update

If you're on heroku and putting one of these environment variables into code that will be evaluated at compile-time (eg config/initializers/devise.rb for instance) you will need to switch on heroku's "compile time environment variable" option: user-env-compile or you will not even be able to deploy your site.

This feature allows your environment variables to be available during compilation of the slug (which is when things like bundler, asset-compilation etc are run)

Note that this is an experimental heroku:labs feature - so blah blah use at your own risk blah...

2 comments:

Aen Tan said...

I'm using the Figaro gem for this.

Taryn East said...

cool. tell us how :)