How can I keep my Heroku application private?

My cheap solution has been implementing a before_filter to request an HTTP authentication before every action is executed.

This solution works well along other authentication layers – Devise or others.

USERS = { "user" => "secret" }before_filter :authenticatedef authenticate  authenticate_or_request_with_http_digest("Application") do |name|    USERS[name]  endend

Whenever other peers land at yourdomain.heroku.com, they are asked for HTTP authentication, later for other authentication if in place.

Now you can also use a Heroku add-on that let's you specify emails of users allowed to access an application and that uses Persona (aka BrowserID) to authenticate users (no site specific password needed).

A really simple solution would be to just add a key that can be stored in a cookie on the users machine. This is not a perfect solution as someone could get the key but it gives you basic protection from someone stumbling across your site. You could use a url like http://www.yourdomain.com?access_key=random_string and then add the following to your application controller.

class ApplicationController < ActionController::Base  before_filter :check_redirect_key  def check_redirect_key    if request[:access_key] != 'random_string' && cookies[:access_key] != 'random_string'      redirect_to "/404.html"     elsif request[:access_key] == 'random_string'      cookies.permanent[:access_key] = 'random_string'    end  endend

This code will check for the access key in either the url or a cookie on the users machine and let them in if it exists in either place. That way once they've accessed the site with the key they can just access the url directly.