Rails-specific Sources of Sensitive Information
Scrub sensitive information out of:
config/environments/*.rbconfig/initializers/cookie_verification_secret.rbconfig/initializers/secret_token.rbconfig/initializers/session_store.rb- any files added to support third-party libraries, such as
config/memcached.yml
config/database.ymldb/seeds.rb- any rake tasks in
lib/tasks.
test/fixtures/*
General Changes
Including this just because I think it's a good list of things to keep in mind for releasing open-source software that you also have in production.
- Remove sensitive information:
- password salts
- default user credentials populated by code or seeds
- authentication information to any external server or service
- databases
- third-party APIs
- eCommerse solutions
- any seeded data that would potentially publicize trade secrets
- Test code throughly for exploits. If they are in your code and your code is available to the public, people will find them and will know how to compromise your site.
- Clean up the code. The code is a form of publicity for your site; it's is one of the many things that will represent your site/company. Make sure you change variable/function names/error messages/seeded data/etc that were written out of humor or frustration but that would look bad to the public.
- Actively contribute your enhancements and bug fixes to the project and respond to external requests for fixes/enhancement or even pull requests for those who have solved a problem themselves. This keeps the project active and also helps with the publicity angle.
- Make sure you give credit where credit is due. Now that your code is public, people will know if you've utilized third-party code/libraries. If such code came with attribution clauses in their license agreements, make sure your project complies with those agreements.
