Ruby on Rails Monday, July 17, 2017

> On Jul 17, 2017, at 3:26 PM, Ralph Shnelvar <> wrote:
> If my code will not be shared, and
> My Rails app is on my own server, then
> Does it make a difference if the secret keys are in environment variables or ~/config/secrets.yml ?
> Ralph

Probably not. But if the configuration comes from the environment, and the Apache/Nginx config are owned by a different user than the Rails app, then maybe there's a need for an attacker to get root or at least compromise two users in order to access the configuration. Seems weak as an argument to me. If someone owns your server, they own your server. These files need to be readable for other processes to read them.

I suspect that the larger issue under protection here is you uploading your code to Github/lab and then forgetting and making it public.


You received this message because you are subscribed to the Google Groups "Ruby on Rails: Talk" group.
To unsubscribe from this group and stop receiving emails from it, send an email to
To post to this group, send email to
To view this discussion on the web visit
For more options, visit

No comments:

Post a Comment