I notice in various live tutorials that they include a step to configure the signing_salt in config.exs. and replace the existing 8 character one.

Is this necessary to make things work (doesn’t seem to be) or simply good practice 'cos an 8 char secret is a bit of a crappy secret? :wink:



1 Like

It’s not a secret, it’s a salt. Most keys in a Phoenix application are derived from the secret_key_base, and each use-case should have a separate salt to ensure they derive unique keys (reusing a key for different use-cases may weaken the security). So as long as you keep you secret_key_base secret and random, the salt values just need to be unique within your application.


It’s not a secret, it’s a salt.

Fair point.

The underlying point is that it is good practice for each use-case to have a separate salt, not that you must provide it or the live view will not work. So for a throw-away example this step is not strictly necessary.

Is that right?



Still tooooo shooort. That’s the first thing I change in any project I start :slight_smile: