Session secret should not be included in version control near line …


After using brakeman to test for security issues in your rails application you get the following warning about the config/initializers/secret_token.rb file:


Since you may have already pushed the original secret_token.rb in your version control you may need to do the following.

  • Make a copy of the file : cp config/initializers/secret_token.rb config/initializers/copy_of_secret_token.rb
  • Delete the original file that is also on your version control: rm config/initializers/secret_token.rb
  • Add it to .gitgnore
  • Commit your changes and push to your version control: git commit -a -m “remove secret token and include it in .gitignore”, git push (origin master)
  • Create a new secret key by running: rake secret
  • Copy the value from above to the file config/initializers/copy_of_secret_token.rb replacing the original value of config.secret_key_base
  • Rename the file to secret_token.rb again: mv config/initializers/copy_of_secret_token.rb config/initializers/secret_token.rb
  • Check that the new file is not listed in git when you do : git status