I’m new to bedrock so i’m trying to wrap my head around things. I’m using a bedrock setup without the ansible/deployment-part.
I see that application.php expects salts to be set as environment variables, but in the .env.example I see no dummy entries for salts. I’m just wondering if I’m correct in thinking that I should still add my own salts as environment variables in my .env file?
Correct. Salts don’t matter for development though. WordPress will generate its own. So you only need them for production (and maybe staging if you have one).
I stumbled across this and I would like to have this read in the documentation - of course everybody who studies the bedrock sources will come across this - but in my case I came across this with a “tststs” on my lips and a shaking of my head. I would like to suggest to put this in a red box on the documentation part about environment variables - defaults are important and any deplyment stack should embrace a ‘safe-by-default’ approach, not ‘unsafe-by-default’. I think one sentence in the docs would be enough:
"Important note: Bedrock does NOT define any Wordpress SALT constants, so before deploying this into the wild you MUST add these to your .env file used in production. You can use this service: https://api.wordpress.org/secret-key/1.1/salt "
Would you mind opening an issue on GitHub about this?