I've talked at length with developers in Heroku, we're interested in making the default security of new Rails apps better out of the box.
I know there is a much larger discussion going on and I believe there are one or more people actively looking into the options. I would like to work with anyone interested in security to figure out a good workflow with Heroku. One option we discussed would be automatically setting the a config var such as SECRET_TOKEN from the Heroku buildpack, so that it didn't matter if your source got exposed, they would need to get into your app as well. Being able to set the token from an environment variable could also allow services to rotate the token without having to modify any files, or touch anything you've got in Git. Just a thought. So again: feel free to ping me on twitter @schneems or in chat: [email protected] if you're working on security updates. I would like to help make the default experience secure and seamless. -- Richard Schneeman http://heroku.com @schneems (http://twitter.com/schneems) On Friday, January 11, 2013 at 5:29 AM, Rodrigo Rosenfeld Rosas wrote: > b -- You received this message because you are subscribed to the Google Groups "Ruby on Rails: Core" group. To post to this group, send email to [email protected]. To unsubscribe from this group, send email to [email protected]. For more options, visit this group at http://groups.google.com/group/rubyonrails-core?hl=en.
