Reconsider having a fallback secret committed in app code
Opened this issue · 0 comments
jcardinal commented
The rationale in the tutorial is that it's convenient to have this fallback secret for local dev, and you'd then set an environment variable in prod. It seems to me there's a risk of failing to set the env var in prod and then the known secret is in use. Probably better to require the env var in development and avoid committing a secret that could accidentally be in use in prod.
Line 5 in dccd1ea