-# Do not keep production secrets in the repository,
-# instead read values from the environment.
+# development:
+# secret_key_base: <%= rand(1<<255).to_s(36) %>
+
+# test:
+# secret_key_base: <%= rand(1<<255).to_s(36) %>
+
+# In case this doesn't get overriden for some reason, assign a random key
+# to gracefully degrade by rejecting cookies instead of by opening a
+# vulnerability.