Phoenix - Setting the signing salt for cookies from an env var

Setting the signing_salt to the value of secret_key_base doesn’t make much sense in the first place.

The idea of a salt in a key derivation function (KDF) is to derive secondary secrets from a single master secret. This is necessary because it is not safe to use the same master key for multiple use-cases in different contexts. As long as you keep your master secret safe, the salts don’t have to be kept secret. If one of the derived secrets is compromised you can just change the salt to rotate it. As long as each individual salt is unique and is never reused in another context.

TL;DR: you can hardcode a signing_salt value at compile-time and commit it to your code repo, as long as you are ok with a code push should you ever have a need to rotate it. (But don’t set it to the current value of secret_key_base, obviously, as that should remain secret!).