You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
Secrets are currently posted publicly in the repository, including database credentials and our AirBrake API key. These need to be removed, and a deployment process needs to be established in the production environment to fill them in appropriately.
The text was updated successfully, but these errors were encountered:
AFAIK our Postgres does not accept connections from the internet at large, so it's not currently a vulnerability, but of course the DB credentials should be removed regardless. I've changed all DB passwords on the server and will figure out a solution to automatically filling them in ASAP.
The canonical solution to this is to use environment variables on the production server. We are now doing this with the Airbrake API key.
Alternatively, Rails 5.1 has a new features called Encrypted Secrets that lets you store the secrets, encrypted, right in version control; they are edited using bin/rails secrets:edit and decrypted in appropriate environments using a separately generated key. An upgrade to this version of Rails is planned — see #101.
Secrets are currently posted publicly in the repository, including database credentials and our AirBrake API key. These need to be removed, and a deployment process needs to be established in the production environment to fill them in appropriately.
The text was updated successfully, but these errors were encountered: