Menu
This question asks about the purpose of the Django SECRET_KEY value. One of the answers to that question stated "It needs to have a cryptographically strong amount of entopy(sp) (hard for computers to guess) and unique between all Django instances."
This is a bit ambiguous: if I say for example have a single Django application deployed to multiple web servers behind a load balancer, should each have it's own distinct SECRET_KEY, or should the SECRET_KEY be shared amongst all instances?
252
Summary: The Django secret key is used to provide cryptographic signing. This key is mostly used to sign session cookies. If one were to have this key, they would be able to modify the cookies sent by the application.
Once you change the SECRET_KEY on production, all the old sessions and cookies are invalidated, users are logged out and data in sessions are lost.
protect session data and create random session keys to avoid tampering as well. create random salt for most password hashers. create random passwords if necessary.
Both sources agree that you should create a separate app in the following situations: If you plan to reuse your app in another Django project (especially if you plan to publish it for others to reuse). If the app has few or no dependencies between it and another app.
For the same Django application you should use the same secret key to ensure that the same client can properly use the service if the load balance redirects his/her traffic mid session. Otherwise, surely undefined behavior will arise. More specifically, all these things would break.
source. As a side note, I completely agree that the secret_key aspect of Django feels dangerous and mystic, despite it being very explainable, and is not treated by the documentation with any sort of clarity.
111
If you love us? You can donate to us via Paypal or buy me a coffee so we can maintain and grow! Thank you!
Donate Us With
