Menu
I am wondering what are the steps one would need to take should the production secret key become compromised. Luckily, that is not the case, but it would be good to know, nonetheless.
In particular, what happens if one simply swaps the old key to a newly generated one? Since it is used in making hashes, does it break the entire system or make it unstable?
In the case of a compromise, would the response be as simple as generating a new key and inserting it into the production settings?
318
Summary: The Django secret key is used to provide cryptographic signing. This key is mostly used to sign session cookies. If one were to have this key, they would be able to modify the cookies sent by the application.
Once you change the SECRET_KEY on production, all the old sessions and cookies are invalidated, users are logged out and data in sessions are lost. This is good if your SECRET_KEY is compromised!
Length, forbidden prefix, and unique characters To put that into plain English, your SECRET_KEY must: Be a minimum of 50 characters in length.
The SECRET_KEY is used for the following:
"If you rotate your secret key, all of the above will be invalidated. Secret keys are not used for passwords of users and key rotation will not affect them."
You can use the following function to generate a new key:
from django.core.management.utils import get_random_secret_key
print(get_random_secret_key())
Simply copy/paste the printed results into your settings.py.
104
If you love us? You can donate to us via Paypal or buy me a coffee so we can maintain and grow! Thank you!
Donate Us With
