Rack::Session::Cookie accepts a :secret option in its initializer. The initializer stores that secret in an instance variable and uses it in the #set_session method to HMAC sign the data. Rack HEAD added security warnings for when the Rack::Session::Cookie middleware is initialized without a secret. This is causing the warning to show up because of the way Rails uses Rack::Session::Cookie: Rails u