Will It Vibe logoWill It Vibe?
RAILS-020Medium severity-8 points

Hardcoded secret_key_base

Part of Security, which counts for 30% of the overall score. When this check fires it deducts 8 points from that category, once per scan, no matter how many places it turns up.

What it detects

secret_key_base signs and encrypts sessions, cookies, and signed URLs. A literal value in a checked-in file lets anyone with repository access forge session cookies for any instance of this app.

Why it matters

secret_key_base is the root key Rails uses to sign and encrypt sessions, cookies, and signed URLs. A literal value checked into source control means anyone who has ever had repository access, including through git history even after the line is removed, can forge valid session cookies for any deployment of this app.

How to fix it

Replace the literal with Rails.application.credentials.secret_key_base (the modern default, backed by config/credentials.yml.enc and master.key) or ENV.fetch("SECRET_KEY_BASE") if this app manages secrets through environment variables instead. Then rotate the exposed value: generate a new one with bin/rails secret and update it everywhere the app is deployed, since the old value must be treated as compromised.

The paid report includes a ready-to-paste prompt for your AI coding agent for every check it finds, pointed at the exact findings from your scan. See pricing

Does your repo trip this check?

Paste a GitHub URL or drop a project folder. Scans run in your browser and take seconds.

Scan your repo

Related Security checks