CODEWITHSUNDEEP
ruby-on-railsheroku
tommyd456
tommyd456

Reputation: 10673

Heroku Config Secret Key Base Error

Just pushed my first app to Heroku using Git and straight away got an Interanl Server Error.

You must set config.secret_key_base in your app's config.

This is because on my .gitignore file the following file is included:

config/initializers/secret_token.rb

I am using a standard template for my .gitignore file found here: https://github.com/github/gitignore/blob/master/Rails.gitignore

My Question: Should I set this key via Heroku directly for added security and if so how?

OR

should I just remove this line from my .gitignore file?

Upvotes: 26

Views: 21586

Answers (3)

superluminary
superluminary

Reputation: 49152

Set it as a Heroku environment variable, & provide a fallback for development

Remove the hardcoded secret, check the secret initialiser into version control, set an environment variable on Heroku, and provide a fallback for development and stage.

1. Remove the hardcoded secret, and optionally provide a fallback:

Edit your config/initializers/secure_random.rb to remove the hardcoded secret for production. Optionally include a fallback for non-production environments if you'd rather not change the way you start your server.

secret = Rails.env.production? ? ENV['SECRET_TOKEN'] : "top_secret_token"
YourApp::Application.config.secret_key_base = secret

2. Check config/initializers/secure_random.rb into git

Edit .gitignore and remove the line:

config/initializers/secret_token.rb

Now commit the file.

3. Set the secret key for Heroku

Run:

rake secret

to generate a random alphanumeric string. I like to make doubly sure by mixing the key up a little by hand as well, just in case a future weakness is discovered in the key generation algorithm, as happened for Debian not so long ago. Probably this is unnecessary.

Next run:

heroku config:set SECRET_TOKEN=paste_random_string_here

to set the secret as a Heroku environment variable. Deploy to Heroku and you're done.

Upvotes: 10

nmott
nmott

Reputation: 9604

In addition to setting the secret token as an ENV variable on Heroku, as outlined by Nick Ginanto, you also need the following to make this work.

Remove the config/initializers/secret_token.rb from .gitignore

Change the line in this file to:

MyApp::Application.config.secret_token = ENV['SECRET_TOKEN']

This will then pick up the secret token you have set with Heroku's config vars.

In order for the token to be picked up in your local environment you will need to add it. There are a number of options here but the one closest to Heroku is to use the foreman gem along with a .env file in your project root. The .env will need to have the secret_token

SECRET_TOKEN=NKUd7gisd7fueAISDfg....

You can use the rake secret command to generate tokens. Make sure your .env file is added to .gitignore.

With all this in place you will have different tokens for Heroku and local and your token will not be in your source control.

Upvotes: 32

Nick Ginanto
Nick Ginanto

Reputation: 32120

Its best to use an ENV variable for this..

This way you can invalidate all the cookies quickly if needed, have a separate secret per environment and no need to deal with the file in a special way

heroku config:set SECRET_TOKEN=ertbs45tnsb3aw5bsxdrt54...

if you duplicated the app or have another app setup in heroku, each app will have its own secret_token. on your localmachine just setup the same variable

Upvotes: 6

Related Questions