In the readme and intro documentation, we describe how to set a session secret manually with this code block:

set :session_secret, 'super secret'

We don't mention anywhere that the value should really be pulled in from an environment variable (or possibly config file not checked into the codebase, secret store, etc).

We also don't mention how to securely generate the value.

While ideally all developers would know that this secret shouldn't be checked into code, and should be generated with a CSPRNG, frameworks have an opportunity to promote good security practices. This will simultaneously educate developers and prevent vulnerabilities.

I'd suggest that we:

1. Show code examples sourcing secrets from environment variables
2. Add an example of generating a secure random secret