aboutsummaryrefslogtreecommitdiffstats
path: root/guides/source/security.md
diff options
context:
space:
mode:
Diffstat (limited to 'guides/source/security.md')
-rw-r--r--guides/source/security.md45
1 files changed, 21 insertions, 24 deletions
diff --git a/guides/source/security.md b/guides/source/security.md
index 882daa9806..a74de22ac0 100644
--- a/guides/source/security.md
+++ b/guides/source/security.md
@@ -98,7 +98,7 @@ Rails 2 introduced a new default session storage, CookieStore. CookieStore saves
In Rails 4, encrypted cookies through AES in CBC mode with HMAC using SHA1 for
verification was introduced. This prevents the user from accessing and tampering
the content of the cookie. Thus the session becomes a more secure place to store
-data. The encryption is performed using a server-side `secrets.secret_key_base`.
+data. The encryption is performed using a server-side `secret_key_base`.
Two salts are used when deriving keys for encryption and verification. These
salts are set via the `config.action_dispatch.encrypted_cookie_salt` and
`config.action_dispatch.encrypted_signed_cookie_salt` configuration values.
@@ -111,18 +111,9 @@ Encrypted cookies are automatically upgraded if the
_Do not use a trivial secret, i.e. a word from a dictionary, or one which is shorter than 30 characters! Instead use `rails secret` to generate secret keys!_
-Applications get `secrets.secret_key_base` initialized to a random key present in `config/secrets.yml`, e.g.:
+In test and development applications get a `secret_key_base` derived from the app name. Other environments must use a random key present in `config/credentials.yml.enc`, shown here in its decrypted state:
- development:
- secret_key_base: a75d...
-
- test:
- secret_key_base: 492f...
-
- production:
- secret_key_base: <%= ENV["SECRET_KEY_BASE"] %>
-
-Older versions of Rails use CookieStore, which uses `secret_token` instead of `secret_key_base` that is used by EncryptedCookieStore. Read the upgrade documentation for more information.
+ secret_key_base: 492f...
If you have received an application where the secret was exposed (e.g. an application whose source was shared), strongly consider changing the secret.
@@ -1032,27 +1023,33 @@ Environmental Security
It is beyond the scope of this guide to inform you on how to secure your application code and environments. However, please secure your database configuration, e.g. `config/database.yml`, and your server-side secret, e.g. stored in `config/secrets.yml`. You may want to further restrict access, using environment-specific versions of these files and any others that may contain sensitive information.
-### Custom secrets
+### Custom credentials
+
+Rails generates a `config/credentials.yml.enc` to store third-party credentials
+within the repo. This is only viable because Rails encrypts the file with a master
+key that's generated into a version control ignored `config/master.key` — Rails
+will also look for that key in `ENV["RAILS_MASTER_KEY"]`. Rails also requires the
+the key to boot in production, so the credentials can be read.
+
+To edit stored credentials use `bin/rails credentials:edit`.
-Rails generates a `config/secrets.yml`. By default, this file contains the
-application's `secret_key_base`, but it could also be used to store other
-secrets such as access keys for external APIs.
+By default, this file contains the application's
+`secret_key_base`, but it could also be used to store other credentials such as
+access keys for external APIs.
-The secrets added to this file are accessible via `Rails.application.secrets`.
-For example, with the following `config/secrets.yml`:
+The credentials added to this file are accessible via `Rails.application.credentials`.
+For example, with the following decrypted `config/credentails.yml.enc`:
- development:
- secret_key_base: 3b7cd727ee24e8444053437c36cc66c3
- some_api_key: SOMEKEY
+ secret_key_base: 3b7cd727ee24e8444053437c36cc66c3
+ some_api_key: SOMEKEY
-`Rails.application.secrets.some_api_key` returns `SOMEKEY` in the development
-environment.
+`Rails.application.credentails.some_api_key` returns `SOMEKEY` in any environment.
If you want an exception to be raised when some key is blank, use the bang
version:
```ruby
-Rails.application.secrets.some_api_key! # => raises KeyError: key not found: :some_api_key
+Rails.application.credentails.some_api_key! # => raises KeyError: key not found: :some_api_key
```
Additional Resources
generated by cgit v1.2.3 (git 2.25.1) at 2024-06-29 05:52:11 +0000