Welcome to the Treehouse Community
Want to collaborate on code errors? Have bugs you need feedback on? Looking for an extra set of eyes on your latest project? Get support with fellow developers, designers, and programmers of all backgrounds and skill levels here with the Treehouse Community! While you're at it, check out some resources Treehouse students have shared here.
Looking to learn something new?
Treehouse offers a seven day free trial for new students. Get access to thousands of hours of content and join thousands of Treehouse students and alumni in the community today.
Start your free trial
Philipp Antar
7,216 PointsSecurity hole in Treebook?
I just realized that I never thought about putting config/initializers/secret_token.rb into my .gitignore for public Github repositories. This exposes the secret token which Rails uses to verify the integrity of cookies. A quick look at some apps on Open Source Rails revealed that a number of apps also show their secret tokens publicly (as does Treebook), while other apps use enviroment variables and don't reveal their secret.
Am I just overreacting or is this actually a security threat?
Edit: There's also this blog post which says you shouldn't do it :)
5 Answers
Steve Christie
9,509 PointsHey Philipp, Thanks for bringing this up. I'm just a rails wanna be, but it sure seems to me that the best practice is to store the secure password using an environmental variable or some other means of securing the token, or at least paying for a secure repo on github if the project is open source. I just tried to fix the issue on one of my fun apps by replacing the token with an env variable:
Funapp::Application.config.secret_token = ENV["SECRET_TOKEN"]
I then store the secret_token in my .env file, along with the passwords for Amazon S3 and Gmail passwords etc. Here's a blog post I did on one way of securing environmental variables.
Thanks Steve
Philipp Antar
7,216 PointsI agree storing it in a enviroment variable seems to be a viable solution. I was just surprised that many popular apps show their secret tokens on Github. I also went through a number of Rails tutorials and never saw this issue mentioned.
James Barnett
39,199 PointsHere's a great post on that
http://michaelwelburn.com/2012/04/30/setting-rails-environment-variables-outside-of-version/
James Barnett
39,199 PointsRails is kinda the new PHP littering the Internet with a bunch of really badly written and insecure code.
Also most demo code is insecure and often not really meant to scale to production levels, so no shock there.
Aimee Knight
9,701 PointsI'm doing http://ruby.railstutorial.org/ right now and this post caught my eye.
Would something like
has_secure_password()
be an even better option, or am I totally confused and missing something?
I've only been attempting to learn programming for 7 months so please excuse my ignorance.
Steve Christie
9,509 PointsThis would be in addition to using has_secure_password if you are creating your own authentication. I'm not sure if bcrypt-ruby that is used along with has_secure_password uses the secret_token, but if you add a remember me or forgot password option to your authentication, then it would definitely use the secret token when it creates the cookie.
Here's the railscast for how to add a remember me and forgot password to your rails app:
Steve Christie
9,509 Pointswhoops, the link to the railscast didn't show, and the edit link isn't availible to fix: http://railscasts.com/episodes/274-remember-me-reset-password
Aimee Knight
9,701 PointsThanks Steve! I'll check that out.
Aimee Knight
9,701 PointsEdit: Looks like I clearly didn't understand what you guys were getting at. Sorry for being so ignorant. I see this issue now with signed cookies, so thank you for bringing this to my attention!
Philipp Antar
7,216 PointsUpon further research I discovered that the secret token is only needed for signed cookies. So it may not be desasterous to expose the secret token if you never use signed cookies in your app. I would still go with enviroment variables.