Phoenix: Should the signing salt be secret, too?

Created on 3 Mar 2017 · 1Comment · Source: phoenixframework/phoenix

This is less of an issue and more of a question.

Session cookies are signed with both the signing_salt and the secret_key_base. Is there a reason for not defaulting to keeping the signing_salt secret and different from dev/test (similar to how the prod_secret_key_base is generated for prod.secret.exs)?

If not, I am more than willing to open a PR for my first contribution!

Source

kylekthompson

❤4

Most helpful comment

The secret_key_base is enough as a secret. There are also advantages for keeping them in different places.

josevalim on 3 Mar 2017

👍3

>All comments

The secret_key_base is enough as a secret. There are also advantages for keeping them in different places.

josevalim on 3 Mar 2017

👍3

Was this page helpful?

0 / 5 - 0 ratings

Related issues

Unexpected InvalidCSRFTokenError when submitted via AJAX with CSRF token in header

imranismail · 4Comments

mix phx.new --live creates a broken project

oliverandrich · 3Comments

Add prompt/warning when injecting code into overly complex contexts

chrismccord · 4Comments

Compilation error while installing phx_new 1.4.0-rc.1

tcoopman · 3Comments

Could not create a new project with mix phx.new of 1.3.0-rc.3

blisscs · 4Comments