How to keep the app secret a secret?

Question

Every new Play app gets a new application secret generated into its config file.

application.secret=asdfadsfdasf

I'm developing an open source app that will be deployed on Heroku. How can I keep the app secret a secret (e.g. no commit it into source control)?

Where exactly is the app secret used? Perhaps for my limited purposes I don't really have to keep it a secret?

Answer 1

You can externalize the secret as an environment variable.

In conf/application.conf Simply replace

application.secret=abc123...

with

application.secret=${APP_SECRET}

and then set this config var in Heroku with:

$ heroku config:add APP_SECRET=abc123...

Now you can manage secrets on a per-app basis and avoid checking them into version control.