tags:

views:

44

answers:

1
+3  Q: 

ActionMailer password security

Am I crazy, or is it a bad idea to keep my SMTP username and password for ActionMailer in the actual (development/production) config file? It seems like I should store it an encrypted place, or at the very minimum, exclude it from my Mercurial pushes.

Right now, I'm just removing the password from my source file before performing a push, but there's got to be a smarter way than the one I'm using. :)

Perhaps I should store it in my database as another user (which is already stored with encrypted passwords) and fetch it programatically?

+4  A: 

Use an application configuration file that is not stored in your repository for storing sensitive information. Here is how I've done it:

  1. Add an app_config.yml in your config directory. Its contents would look like this:

    smtp_password: kl240jvfslkr32rKgjlk
some_other_password: 34hg9r0j0g402jg
and_so_on: lkn$@gJkjgsFLK4gaj

  2. Add a preinitializer.rb in your config directory with the following contents:

    require 'yaml'
APP_CONFIG = YAML.load(File.read(RAILS_ROOT + "/config/app_config.yml"))

  3. Substitute your passwords for values in the APP_CONFIG variable, like so:

    smtp_password = kl240jvfslkr32rKgjlk # old version
smtp_password = APP_CONFIG['smtp_password'] # new version

Make sure you don't include app_config.yml in your repository, though you may want to create an example file that is checked in, just to show a sample of what should be in it. When you deploy your application, make sure that app_config.yml is stored on the server. If you're using a standard Capistrano deployment, put the file in the shared folder and update your deployment task to create a symlink to it in the current release's directory.

Jimmy Cuadra  2010-03-03 01:13:44
That'll work.BTW, thanks for the screencast regarding ActionMailer and TLS encryption. I used it just earlier today to get it working in my app. Quality stuff.
normalocity  2010-03-03 01:32:12
Excellent answer Jimmy, this is a great way to abstract any various settings and whatnot that you don't want to store in your DB or have land in your repo... thanks.
Joseph Silvashy  2010-03-03 03:59:48

related questions

Encryption in C# Web-Services
How Do You Secure database.yml?
ASP.NET LocationProvider
What do you (or your company) use for wiping a machine?
Can a proxy server cache SSL GETs? If not, would response body encryption suffice?
Java: What is the best way to SFTP a file from a server
How do I call a Flex SWF from a remote domain using Flash (AS3) ?
Best way to store a database password in a startup script / config file?
Using VM to get around VPN restrictions
Best references for secure coding practices in ASP.NET and classic ASP.
Secure Memory Allocator in C++
Resolving Session Fixation in JBoss
Best Practices for securing a REST API / web service
Defensive programming
Personal Linux web server
Block user access to internals of a site using HTTP_REFERER
Is there an Unobtrusive Captcha for web forms?
My website got hacked... What should I do?
What all do I need to escape when sending a (My)SQL query?
How do you disable browser Autocomplete on web form field / input tag?
Best .NET obfuscation tools/strategy
Are there best practices for testing security in an Agile development shop?
What is the best way to avoid SQL injection attacks?
Found a critical bug, but the company doesn't care
PHP Session Security