Rails: DEPRECATION WARNING: You didn't set config.secret_key_base

Question

I receive this warning when running my specs. Is there a best practice for generating a secret_key_base, or will any string suffice (with regard to security concerns)?

Agis · Accepted Answer · 2018-04-24T18:49:47.067

99

You propably upgraded to Rails 4 from a 3.x or a previous version.

First generate a random secret key value:

$ bundle exec rake secret

Then take that value and put it in config/initializers/secret_token.rb:

YourApp::Application.config.secret_key_base = 'your-secret'

replacing YourApp with the name of your application.

The reason for this is explained here.

Also see http://guides.rubyonrails.org/upgrading_ruby_on_rails.html#config-secrets-yml

edited Apr 24 '18 at 18:49

answered Mar 08 '14 at 11:28

Agis

32,639
3
73
81

But I don't have `secret_token.rb` at `config/initializers/secret_token.rb:` what should I do because I am getting error this `You must set config.secret_key_base in your app's config.` What can I do to resolve lt. – user88 Jun 16 '14 at 12:30
2

Look at `config/secrets.yml` and http://guides.rubyonrails.org/upgrading_ruby_on_rails.html#config-secrets-yml – tamouse Sep 24 '14 at 05:33
13

In case anyone is curious, [`rake secret`](https://github.com/rails/rails/blob/d20f7b043a537b57ff4a7911f65de2fb7b7aea7d/railties/lib/rails/tasks/misc.rake#L1-L5) is just (currently) doing `puts SecureRandom.hex(64)` – Abe Voelker Oct 30 '14 at 17:36
1

Does this still need to be done in `secret_token.rb`? I'm getting mixed information about `secrets.yml` – OneHoopyFrood Feb 12 '15 at 17:55
1

@OneHoopyFrood it can be done either way. You don't have to implement `secrets.yml` but it now comes stock with new Rails 4(.2+?) installations and if you use that you would get rid of the `secret_token.rb` file – sixty4bit Mar 20 '15 at 14:45
I didn't add secret_key_base to that file, just secret_token. That got it to work for me. Actually, it just loads the token from the env. – Nick Res Apr 06 '15 at 02:51
Does anything break if you set YourApp::Application.config.secret_key_base = SecureRandom.hex(64) – Kris Robison Sep 09 '15 at 23:05
@KrisRobison yes, every time your application is restarted all of the previously generated cookies will be invalid thus logging out all your users. – Reed G. Law Apr 25 '16 at 12:02
FYI - You may already have `secret_token` set in `config/initializers/secret_token.rb`. You'll continue to get the deprecation warning until you set `secret_key_base`. This can affect users as the newly signed cookies will not be backwards compatible with older cookies. [More info here.](http://edgeguides.rubyonrails.org/upgrading_ruby_on_rails.html#action-pack) – Dennis Jul 01 '16 at 18:24
Simplified as `Rails.application.config.secret_key_base = 'your-secret'` – scarver2 Apr 09 '18 at 19:01

score 6 · Answer 2 · answered Sep 24 '14 at 05:34

6

As of 4.1, you need to use the config/secrets.yml file. This is discussed in http://guides.rubyonrails.org/upgrading_ruby_on_rails.html#config-secrets-yml .

answered Sep 24 '14 at 05:34

tamouse

2,169
1
19
26

2

Actually, in the link, it says "If you want to use the new secrets.yml convention to store your application's secrets..." I don't see anything that says you *need* to. :) – talyric Nov 05 '15 at 23:04

score 4 · Answer 3 · answered Jun 17 '14 at 05:31

You simply need to create a secret_token.rb file in the config/initializers directory.

Contents of the file below:

YourAppNameHere::Application.config.secret_key_base = #type the key you generated with rake secret here

then save the file

close your server: 
ctrl c

restart it: rails s

You'll now see the basic rails app page you saw in the last chapter (If you're working through Hartl's tutorial)

score 2 · Answer 4 · answered Jul 19 '14 at 22:11

2

If you are a total noob like me, remember to put the secret_key_base = 'whatever' inside single quotes. Just a copy and paste without quotes will throw an error :

C:/RailsInstaller/Ruby1.9.3/lib/ruby/gems/1.9.1/gems/activesupport-4.0.8/lib/act ive_support/dependencies.rb:223:in `load': C:/Users/Jeff C/documents/rails_proje cts/first_app/config/initializers/secret_token.rb:1: syntax error, unexpected tI DENTIFIER, expecting $end (SyntaxError)

answered Jul 19 '14 at 22:11

Jeff

33
3

That was it. Slightly confusing because `secrets.yml` just expects a sequence of characters after it. – JackHasaKeyboard Dec 12 '17 at 19:57

score 0 · Answer 5 · edited May 10 '23 at 10:01

Had this same issue when working on a Rails 4 application that was upgraded to Rails 5.

All I had to do was run the command below to generate a secret key:

bundle exec rake secret

And then I added the secret key to the config/secret.yml file:

development:
  secret_key_base: 21bc6137d0496a2a11f4459a7c7deb4f782d223d41ee328934b2fe7a405a42ec63eb3829db67f0ec6a759e134ba0bb15dc2d01168b64d83efcf8d42b403ac8bd

Rails: DEPRECATION WARNING: You didn't set config.secret_key_base

5 Answers5

Linked

Related