Rails mailer / smtp - potential security issue?_问答_开发者

Rails mailer / smtp - potential security issue?

开发者 https://www.devze.com 2023-03-25 04:33 出处：网络

When using SMTP settings in Rails for sending e-mail, you need to provide a username and password for it to send email from your account.But isn\'t it a little dangerous to put your password to the si

When using SMTP settings in Rails for sending e-mail, you need to provide a username and password for it to send email from your account. But isn't it a little dangerous to put your password to the site's email account in plain text in your code? Is there a more secure way to do this?

config.action_mailer.smtp_settings = {
        :address => "address_here",
        :port => 'port_#_here',
        :domain => "example.com",
        :authentication => :plain,
        :user_name => "user@example.com",
        :password => "foobar",
        :enable_sta开发者_Go百科rttls_auto => true
  }

This is probably not much of an issue for the development environment, as you might be using a server that doesn't require authentication or a dummy account of some sort.

For the production environment the pattern I have seen/used most often is to keep information like usernames, passwords etc. within the environment itself e.g.:

config.action_mailer.smtp_settings = {
        :address => "address_here",
        :port => 'port_#_here',
        :domain => "example.com",
        :authentication => :plain,
        :user_name => ENV['EMAIL_USERNAME'],
        :password => ENV['EMAIL_PASSWORD'],
        :enable_starttls_auto => true
  }

This way an attacker will have to gain access to your production box itself in order to get this info. If you're deploying your app to Heroku for example and using the Sendgrid plugin for you email - the plugin will make you follow that pattern.