Rails mailer / smtp - potential security issue?
When using SMTP settings in Rails for sending e-mail, you need to provide a username and password for it to send email from your account. But isn't it a little dangerous to put your password to the site's email account in plain text in your code? Is there a more secure way to do this?
config.action_mailer.smtp_settings = {
:address => "address_here",
:port => 'port_#_here',
:domain => "example.com",
:authentication => :plain,
:user_name => "user@example.com",
:password => "foobar",
:enable_sta开发者_Go百科rttls_auto => true
}
This is probably not much of an issue for the development environment, as you might be using a server that doesn't require authentication or a dummy account of some sort.
For the production environment the pattern I have seen/used most often is to keep information like usernames, passwords etc. within the environment itself e.g.:
config.action_mailer.smtp_settings = {
:address => "address_here",
:port => 'port_#_here',
:domain => "example.com",
:authentication => :plain,
:user_name => ENV['EMAIL_USERNAME'],
:password => ENV['EMAIL_PASSWORD'],
:enable_starttls_auto => true
}
This way an attacker will have to gain access to your production box itself in order to get this info. If you're deploying your app to Heroku for example and using the Sendgrid plugin for you email - the plugin will make you follow that pattern.
精彩评论