After reading Code Climate's Rails' Insecure Defaults I realized I was guilty of breaking rule 3. Versioned Secret Tokens. Here's how I fixed it.
Use dotenv in development and test environments:
# Gemfile
gem 'dotenv-rails', groups: [:development, :test]
Local development key for dotenv:
echo RAILS_SECRET_KEY_BASE=`rake secret` > .env
Secure rails initializer:
# config/initializers/secret_token.rb
YourApp::Application.config.secret_key_base = ENV['RAILS_SECRET_KEY_BASE']
Securely set key on heroku. Keep your key out of your shell history and buffer:
heroku config:set RAILS_SECRET_KEY_BASE=`rake secret` > /dev/null