SECRET_KEY is the closest thing Django has to a “root password”. That’s why we emphasize keeping it secret — someone who knows your SECRET_KEY can effectively do anything to your site anyway. For example, they could produce valid session cookies for any user, and then just hop in the admin interface.
So any attack based on “assume you know the SECRET_KEY” is already going to be able to do anything, just like anything that says “assume you know the server’s root password” can do anything. -- You received this message because you are subscribed to the Google Groups "Django developers (Contributions to Django itself)" group. To unsubscribe from this group and stop receiving emails from it, send an email to django-developers+unsubscr...@googlegroups.com. To post to this group, send email to django-developers@googlegroups.com. Visit this group at https://groups.google.com/group/django-developers. To view this discussion on the web visit https://groups.google.com/d/msgid/django-developers/CAL13Cg-GRyUvqFV4dO7aO1tjtBbXgwJjRjA_sYTFAW0D%3Doe_vA%40mail.gmail.com. For more options, visit https://groups.google.com/d/optout.
