I’ve tried to learn how to keep my API keys secret at some point during every Flatiron project I’ve done so far and failed and gave up. This time my partner and I got it to work and I wanted to save the whole process in one place for the next time I do this.
Ruby Reference Sheet. Q for strings, r for regexp, i symbol array, w stringarray,xforshellcommand,andssymbol. Besidesx, s,therestcanbecapitalised. This Cheatsheet intends to provide quick basic Ruby on Rails security tips for developers. It complements, augments or emphasizes points brought up in the Rails security guide from rails core. The Rails framework abstracts developers from quite a bit of tedious work and provides the means to accomplish complex tasks quickly and with ease.
Rails 5.2 introduced the credentials file. You’ll find it in config/credentials.yml.env and it will look something like this.
You can hide your API keys and any other credentials that need to remain secret here, but as you can see, it’s encrypted, so you can’t edit it directly. You can run this command in your terminal:
You can replace atom above with the name of your editor. This will open up a readable version of the file that you can edit. The file has a helpful commented out guide you can follow for formatting your secrets, but they should look something like this.
It’s easy to draw on these secrets later when you’re ready to use them.
Ruby Regular Expression Match
Your Rails app will also have a config/master.key file, which you should add to your .gitignore. This master key is used to encrypt and decrypt the credentials.
One wrinkle with this came up when my project partner cloned the project and tried to seed the database using our API keys. Since master.key was in the .gitignore file, she didn’t have that to decrypt the credentials file. So if a collaborator clones your project and needs to use your app’s credentials, they will need to create a master.key file that matches yours.
Bonus: Heroku
Ruby Regex Cheat Sheet Printable
Hiding our API credentials this way caused us problems when we later deployed the app on Heroku (How to do that here). Since master.key was in our .gitignore, Heroku couldn’t get to the unencrypted version of our keys.
To fix it we saved our master.key to an environment variable. You can set Heroku a environment variable from the Heroku CLI by running:
I discovered later that you can also set up environment variables right on the Heroku dashboard for your application. Navigate to your application’s settings page and click the button that says Reveal Config Vars. You can add and edit your config variables here.
And now you have an app that doesn’t reveal your API secrets!
Ruby Regex Cheat Sheet Download
CharacterLegendExampleSample Match
d | Most engines: one digit
from 0 to 9 | file_dd | file_25
d | .NET, Python 3: one Unicode digit in any script | file_dd | file_9੩
w | Most engines: 'word character': ASCII letter, digit or underscore | w-www | A-b_1
w | .Python 3: 'word character': Unicode letter, ideogram, digit, or underscore | w-www | 字-ま_۳
w | .NET: 'word character': Unicode letter, ideogram, digit, or connector | w-www | 字-ま‿۳
s | Most engines: 'whitespace character': space, tab, newline, carriage return, vertical tab | asbsc | a b
c
s | .NET, Python 3, JavaScript: 'whitespace character': any Unicode separator | asbsc | a b
c
D | One character that is not a digit as defined by your engine's d | DDD | ABC
W | One character that is not a word character as defined by your engine's w | WWWWW | *-+=)
S | One character that is not a whitespace character as defined by your engine's s | SSSS | Yoyo