Session secret should not be included in version control near line …


After using brakeman to test for security issues in your rails application you get the following warning about the config/initializers/secret_token.rb file:

Session secret should not be included in version control near line xx


Since you may have already pushed the original secret_token.rb in your version control you may need to do the following.

  • Make a copy of the file : cp config/initializers/secret_token.rb config/initializers/copy_of_secret_token.rb
  • Delete the original file that is also on your version control: rm config/initializers/secret_token.rb
  • Add it to .gitgnore
  • Commit your changes and push to your version control: git commit -a -m “remove secret token and include it in .gitignore”, git push (origin master)
  • Create a new secret key by running: rake secret
  • Copy the value from above to the file config/initializers/copy_of_secret_token.rb replacing the original value of config.secret_key_base
  • Rename the file to secret_token.rb again: mv config/initializers/copy_of_secret_token.rb config/initializers/secret_token.rb
  • Check that the new file is not listed in git when you do : git status

Upgrading your Rails 3.0.3 application

After the announcements in the previous posts about the security vulnerabilities in Rails 3.0.3, you would like to update your application and deploy with the latest 3.0.4 version.


  • Change your Gemfile to replace
    gem 'rails', '3.0.3'
    gem 'rails', '3.0.4'
  • Run:
    bundle update rails
  • Remove the old gems by using:
    git status
    and then
    git rm name_of_3.0.3_gem
  • Add the new gems to your git
    git add vendor/cache
  • Check in to your repository the new files
    git commit vendor/cache -m 'upgrade to rails 3.0.4'
  • Make sure that you also check in both your Gemfile and Gemfile.lock into your git repository
    git commit Gemfile Gemfile.lock -m 'update Gemfiles to use 3.0.4'
    otherwise when you try to deploy you will see the error:
    You have modified your Gemfile in development but did not check the resulting snapshot (Gemfile.lock) into version control
  • push everything to your git repository:
    git push
  • Deploy your application with capistrano as usual:
    cap deploy
  • Your new gems for 3.0.4 should be installed on the share/bundle folder