While we're on the subject of Rails security, should this be of concern?

I presume this is not strictly a Rails problem.<p>You can check in things that shouldn't be checked in with any language/framework.<p>If you <i>have</i> done this, here's how to fix it: <a href="http://help.github.com/remove-sensitive-data/" rel="nofollow">http://help.github.com/remove-sensitive-data/</a>

Before we all grab our pitchforks, I have just gone through the entire first page of results and a huge majority of them were explicitly noted as test applications. Sometimes you can see this in the names:<p><pre><code> test / rails_app_v3 / test_app / config </code></pre> In many other instances, things are not as the seem. For example, some of these results come from commits where the author is moving the token to an environment variable. For example: <a href="https://github.com/cimm/blathy/blob/2d3a9550d3a0be55db8e26a25f959a891dee1bcf/config/initializers/secret_token.rb" rel="nofollow">https://github.com/cimm/blathy/blob/2d3a9550d3a0be55db8e26a2...</a><p>I certainly agree that we should all be security conscious, but I'm also a fan of keeping perspective. Things are bad, but let's keep the truth in mind too.

Not just rails, same for django (<a href="https://github.com/search?q=SECRET_KEY&#38;repo=&#38;langOverride=&#38;start_value=1&#38;type=Code&#38;language=Python" rel="nofollow">https://github.com/search?q=SECRET_KEY&#38;repo=&#38;langOve...</a>) and I imagine any framework with this sort of thing in their default project skeleton

This is not a language/framework based issue. This is an issue with careless and/or uneducated developers.<p>This is like people storing plain text passwords in publicly readable txt files on a server. It's not a problem with FTP, HTML, Apache (pick anything you'd like) it's a problem with people making poor decisions.

Flagged. This is just ridiculous. I actually support Egor, but this borders on absurd. The question is stated incorrectly. The actual question is:<p>"Is storing your <i>private</i> key in a public repository a security concern?"<p>It's a parody of a security question. This is a needless distraction in an important discussion.

Could this help? <a href="https://github.com/rails/rails/pull/5286" rel="nofollow">https://github.com/rails/rails/pull/5286</a>

Soon, there will be articles on how insecure Git is because, well, it allows people to check-in sensitive stuff.

Not really. At least not in the way you are insinuating.

Facebook as well...<p><a href="https://github.com/search?q=FB_SECRET&#38;repo=&#38;langOverride=&#38;start_value=1&#38;type=Code&#38;language=" rel="nofollow">https://github.com/search?q=FB_SECRET&#38;repo=&#38;langOver...</a><p>Not really a "vulnerability" because you can't keep stupid people from giving out their secret key.

The solution is simple. Don't use a secret token :)