Reputation: 5831
Django Secret Key Compromised
I am wondering what are the steps one would need to take should the production secret key become compromised. Luckily, that is not the case, but it would be good to know, nonetheless.
In particular, what happens if one simply swaps the old key to a newly generated one? Since it is used in making hashes, does it break the entire system or make it unstable?
In the case of a compromise, would the response be as simple as generating a new key and inserting it into the production settings?
Upvotes: 7
Views: 705
Answers (1)
Reputation: 16032
The SECRET_KEY is used for the following:
- All sessions if you are using any other session backend than django.contrib.sessions.backends.cache, or are using the default get_session_auth_hash().
- All messages if you are using CookieStorage or FallbackStorage.
- All PasswordResetView tokens.
- Any usage of cryptographic signing, unless a different key is provided.
"If you rotate your secret key, all of the above will be invalidated. Secret keys are not used for passwords of users and key rotation will not affect them."
You can use the following function to generate a new key:
from django.core.management.utils import get_random_secret_key
print(get_random_secret_key())
Simply copy/paste the printed results into your settings.py.
Upvotes: 7
Related Questions
- Key Error: 'Secret_Key' cant run server in django
- "Django-insecure" in secret key in settings.py in django
- I want to know why secret_key is wrong
- Django exception: Improperly configured SECRET_KEY
- Django SECRET KEY error
- Error asking for secret key but secret key is already inserted
- Secret key is there though it is saying no secret key in django
- The SECRET_KEY setting must not be empty || Available at Settings.py
- Python django : django.core.exceptions.ImproperlyConfigured: The SECRET_KEY setting must not be empty
- Insecure version of Django