I was concerned when I saw the title of the message, but I think the solution is as simple as just informing people to be sure that any README for Rails apps they share on GitHub (or wherever they have that token exposed), that the user of the application should change that token to a sufficiently random token, and that they should follow the security guide at http://guides.rubyonrails.org/security.html as well as keeping up with everything they can as it relates to security.
In the current release version of Rails (3.2.9), the file that Rails generates resides in: config/initializers/secret_token.rb
Unfortunately, it looks like the guide in 3.2.9 and master still refer to setting that value in environment.rb, even though it is set via config/initializers/secret_token.rb:
However, the “configuring” section in 3.2.9 and master were updated to indicate that config/initializers/secret_token.rb is the place where that is stored and that it is randomly generated, per: “Applications get
config.secret_key_base initialized to a random key in
It may be good to add in the guide that puppet, chef, capistrano, or whatever you use to deploy/setup could be used to copy an environment-specific version of that file and to guard it and config/database.yml with your life, if security is a concern, which it usually is.
Thanks for bringing this up, because it is a good idea to mention it for those sharing apps, and because it should probably be clearer in the Rails guide.
Unless someone else is messing with the guide, I could update security page to note the secret_token.rb file vs. use of environment.rb and to note that for a greater (suggested) level of security, database.yml and secret_token.rb should be copied during deploy and be specific for that environment. I don’t think that is overly opinionated as a basic level of security, is it?
Please go ahead!
That was quick :), thanks very much Gary!