Context: App with public access, but you would like to prevent public access to staging (avoid google indexing and confused users).
One option, if you are enterprisey, you would keep the staging environment within the firewall, not publicly available.
A better option, IMO, given apache or relevant, I’d set basic auth in the apache config file, or add it to .htaccess if apache is configured to read that. Pretty simple and unobtrusive to the app code. On heroku however, we can’t do that.
Heroku forces you to develop and deploy your app slightly differently. It has a read-only filesystem. Git is the only way to send heroku files, removing the possibility to use custom files at server that you have in .gitignore (normal with config/some_settings_x.yml files). In my opinion, heroku forces me to have a better architecture. Disk writes are heavy on the server, why spend server cpu time on disk-duty when it should be serving pages to your valuable customers?
What about the basic auth, this was already fairly simple with apache, wasn’t it?
You be the judge of what is best. I ended up doing this:
# config/environments/staging.rb MyApp::Application.configure do config.middleware.insert_after(::Rack::Lock, "::Rack::Auth::Basic", "Staging") do |u, p| [u, p] == ['username', 'password'] end #... other config end
beautiful and very readable, now it’s all there right in your environment config.
Now you have secured your staging environment from google bots, you don’t have to bother with robots.txt and it avoids people blindly stumbling into your staging app.
As a final note: To easily change password you should consider
[u, p] == [ENV['MY_SITE_USERNAME'], ENV['MY_SITE_SECRET']] $ heroku config:add MY_SITE_USERNAME='username' --app myappstaging $ heroku config:add MY_SITE_SECRET='secret' --app myappstaging