0

Is it necessary to store the keys for development and testing environments in an ENV variable before pushing code to GitHub? I understand why keys should be hidden in production, but not why they should be hidden in development or testing.

development:
  secret_key_base: reallylongkey

test:
  secret_key_base: anotherreallylongkey

production:
  secret_key_base: <%= ENV["SECRET_KEY_BASE"] %>

If I push that to GitHub, and leave the development and testing keys public, would my app be in danger?

calyxofheld
  • 1,538
  • 3
  • 24
  • 62

1 Answers1

1

No it won't, as long as you are not deploying a rails app somewhere in development or test mode.

See What is the use of secret_key_base in rails 4

Community
  • 1
  • 1
dre-hh
  • 7,840
  • 2
  • 33
  • 44
  • I'm slightly at a loss, here. The answer to that post says that 4.2 has done away with secret_token.rb. Then it links here: http://guides.rubyonrails.org/upgrading_ruby_on_rails.html#config-secrets-yml which implies that secret_token.rb still exists. However, in my app, it is not generated. – calyxofheld Jul 02 '15 at 23:33
  • 1
    The guide has just some notes about how to migrate prev rails versions. It also says `Alternatively, you can simply copy the existing secret_key_base from the secret_token.rb initializer to secrets.yml `. From 4.2 rails generates the skeleton app without `secret_token.rb` and puts the secrets into `secrets.yml` for all environments except production. In production you are supposed to provide the secrets through environment variables – dre-hh Jul 05 '15 at 18:47