Attacker can take the secret token and re-generate valid cookies for your applications or check out what other users have inside their account. The solution is to:
- Generate manual key
- Not push the token into version repository
- Add token with environment variable
- Dynamically generate a random secret key
I'm using a small code snippet below to generate a key dynamically:
require 'securerandom' def find_secure_token token_file = Rails.root.join('.secret_token') if File.exist?(token_file) File.read(token_file).chomp else token = SecureRandom.hex(64) f = File.new(token_file, 'w') f.write(token) f.close token end end # Dynamically generate random security key secret_key = find_secure_token AppName::Application.config.secret_token = secret_key
Hope it will help!