[ https://issues.apache.org/jira/browse/AIRFLOW-2809?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel ]
Xiaodong DENG updated AIRFLOW-2809: ----------------------------------- External issue URL: https://github.com/apache/incubator-airflow/pull/3651 Description: h2. Background Currently there is a configuration item *secret_key* in the configuration .cfg file, with a default value "temporary_key". h2. Issue Most admins would ignore it and just use the default value "temporary_key". However, this may be very dangerous. User may modify the cookie if they try the default SECRET_KEY while the admin didn't change it. In Flask documentation, it's suggested to have a SECRET_KEY which is as random as possible ([http://flask.pocoo.org/docs/1.0/quickstart/] ). h2. My Proposal If Admin explicitly specified the SECRET_KEY in *.cfg* file, we use this SECRET_KEY given by Admin. If the default SECRET_KEY is not changed in *.cfg* file, randomly generate SECRET_KEY. Meanwhile, print INFO to remind that a randomly generated SECRET_KEY is used. This solution will not affect user experience at all. was: h2. Background Currently there is a configuration item *secret_key* in the configuration .cfg file, with a default value "temporary_key". h2. Issue Most users would ignore it and just use the default value "temporary_key". However, this may be very dangerous. User may modify the cookie if they try the default SECRET_KEY while the admin didn't change it. In Flask documentation, it's suggested to have a SECRET_KEY which is as random as possible ([http://flask.pocoo.org/docs/1.0/quickstart/] ). h2. My Proposal If Admin explicitly specified the SECRET_KEY in *.cfg* file, we use this SECRET_KEY given by Admin. If the default SECRET_KEY is not changed in *.cfg* file, randomly generate SECRET_KEY. Meanwhile, print INFO to remind that a randomly generated SECRET_KEY is used. This solution will not affect user experience at all. > Security Issue Regarding Flask SECRET_KEY > ----------------------------------------- > > Key: AIRFLOW-2809 > URL: https://issues.apache.org/jira/browse/AIRFLOW-2809 > Project: Apache Airflow > Issue Type: Improvement > Components: webserver > Reporter: Xiaodong DENG > Assignee: Xiaodong DENG > Priority: Major > > h2. Background > Currently there is a configuration item *secret_key* in the configuration > .cfg file, with a default value "temporary_key". > h2. Issue > Most admins would ignore it and just use the default value "temporary_key". > However, this may be very dangerous. User may modify the cookie if they try > the default SECRET_KEY while the admin didn't change it. > In Flask documentation, it's suggested to have a SECRET_KEY which is as > random as possible ([http://flask.pocoo.org/docs/1.0/quickstart/] ). > h2. My Proposal > If Admin explicitly specified the SECRET_KEY in *.cfg* file, we use this > SECRET_KEY given by Admin. > If the default SECRET_KEY is not changed in *.cfg* file, randomly generate > SECRET_KEY. Meanwhile, print INFO to remind that a randomly generated > SECRET_KEY is used. > This solution will not affect user experience at all. -- This message was sent by Atlassian JIRA (v7.6.3#76005)