Where do I place Stripe's publishable and secret keys?

Question

I work in development environment.

I have a stripe.rb file under /config/initializers which its contents are:

Rails.configuration.stripe = {
  :publishable_key => ENV['PUBLISHABLE_KEY'],
  :secret_key      => ENV['SECRET_KEY']
}

Stripe.api_key = Rails.configuration.stripe[:secret_key]

I tried to place them there ( in the ENV['key-here'] ) but Stripe doesn't recognise them and returns an error.

For making it work, I pass them before launching my rails server like that:

PUBLISHABLE_KEY=pk_test_XXXXXXXXXXXXX SECRET_KEY=sk_test_XXXXXXXXXXXX rails s

Where do I place these values in my Rails app? (as I will soon deploy in production)

Thanks

Answer 1

Where do I place these values in my Rails app?

You don't.

You don't want those to be in your source code, as anyone with access to your source code could then access your Stripe account (and start making your customer pay...).

They should be in your environment variables on the server. If this look inconvenient to you, you can take a look at figaro which is made to help you regarding sensitive information.

Be careful that if your yml file is not written by you (e.g, if some content is injected), it has some safety risk (someone could inject malicious code there). You can use safe_yml to prevent those kind of risk.

Finally, if you are deploying on Heroku, you can configure variables there which will be available to your application.