2016
Security On Rails: Hacking Sessions With Insecure Secret Key Base
I was recently asked what is secret key base
used for in Rails applications and why not secure value of it (or even worse - the public one!) creates a security issue. That was a really good question, I remember how it was a serious threat years ago, especially before introducing secrets.yml
in Rails 4.1 - at that time by default secret_token
initializer was generated and the secret key was directly stored there. The result was that in many open source projects secret key was publicly available creating a great security risk. Let's take a look how exposed secret key base could be exploited.