Phoenix projects have two secrets: the secret key base and the database password.

The secret key base is used by Plug for the session encryption and signing and by Phoenix for channel tokens. If the secret key base is disclosed, it's possible to either read session cookies or fake cookies by signing session cookies containing your own data.

The database password is of course used to log into database. If the database password is disclosed all your data is accessible.

By default, the prod secrets are kept is a separate prod dot secret dot E-X-S ( prod.secret.exs ) that is git ignored. Not keeping production secrets in source control is a best practice.

But, by default, Phoenix does keep your development and test secrets in source control. I see two problems with this: first, it means that your entire team uses the same secrets and second, if your repository is public I can see your secrets on github.

You may think these aren't issues because they're not meant for production, but if you end up replicating part of your production data to development to fix a bug and some one gets access to your network, you can end up divulging production data to the attacker.