This rule is about not hardcoding JWT (JSON Web Token) secrets in your Ruby code. JSON Web Tokens are an open, industry standard for securely transmitting information between parties as a JSON object. The information can be verified and trusted because it is digitally signed. JWTs can be signed using a secret (with the HMAC algorithm) or a public/private key pair using RSA or ECDSA.
Hardcoding JWT secrets in your code is a security risk, as it gives anyone who has access to the codebase the ability to generate their own valid tokens. This can lead to a number of serious security vulnerabilities, including unauthorized access to protected resources.
To avoid this, store secrets outside of your codebase, in a secure and encrypted environment. You can then reference these secrets in your code through environment variables or a secure secret management system. For example, instead of hardcoding the secret in the JWT.encode method, you can store it in an environment variable and reference it as hmac_secret. This way, even if someone gains access to your codebase, they won’t be able to generate valid tokens without also having access to your secure environment.
