Found the secret token (config/initializers/secret_token.rb) used to sign cookies is in version control. Apparently this can be used to execute arbitrary code on your production server. Link to how it can be done here
Best thing to do now is to generate a new current secret token in production and then load in your secret token as an ENV variable when deploying
Found the secret token (
config/initializers/secret_token.rb
) used to sign cookies is in version control. Apparently this can be used to execute arbitrary code on your production server. Link to how it can be done hereBest thing to do now is to generate a new current secret token in production and then load in your secret token as an ENV variable when deploying