"Django-insecure" in secret key in settings.py in django

Question

After creating a new project with django-admin startproject my settings.py contain:

SECRET_KEY = 'django-insecure <actual secret key>'

I've never seen "django-insecure' before in a secret key. What does it mean?

Answer 1

Why is the key insecure, when auto-created? Seems to be much safer than a key thought of by a human.

It is generated using a well known process from a source of entropy whose quality and security cannot be guaranteed (by Django). This is the ostensible reason for this; see https://docs.djangoproject.com/en/3.2/ref/checks/#security

security.W009: Your SECRET_KEY has less than 50 characters, less than 5 unique characters, or it’s prefixed with 'django-insecure-' indicating that it was generated automatically by Django. Please generate a long and random SECRET_KEY, otherwise many of Django’s security-critical features will be vulnerable to attack.

More importantly, any secret key that is embedded in a settings file is only as secure as your file system's access control mechanisms. Django settings files are an obvious place to look for the secret key.

It is more secure to hold your keys in a cryptographically secured keystore or an HSM, and then pass Django its secret key via an environment variable; see Where to store secret keys DJANGO.

And, no matter how you manage them, you should generate your secret keys yourself using hardware that you control and a mechanism + entropy source that you can 100% trust. (If you are lost for options, consider rolling some dice as a source of random digits.)