#22310: Document exact usage of and consequences of rotating SECRET_KEY
-------------------------------+--------------------
Reporter: erikr | Owner: nobody
Type: Uncategorized | Status: new
Component: Documentation | Version: master
Severity: Normal | Keywords:
Triage Stage: Unreviewed | Has patch: 0
Easy pickings: 1 | UI/UX: 0
-------------------------------+--------------------
Occasionally, people have accidents with their secret keys. It is somehow
leaked, or they discover that they haven't stored it as securely as they
should have. The trivial fix is to rotate your secret key. However, the
secret key is used in various places, and this may invalidate existing
tokens, sessions, etc. For example, if I remember correctly, secret keys
form part of signed cookies and password reset tokens - but not password
hashes.
We should document where exactly secret keys are being used, and therefore
which data will be invalidated as soon as you rotate your secret key. This
helps people understand what's going to happen, and will make sure nobody
keeps an unsafe secret key because they are afraid of rotating it.
This requires some digging: there are of course many direct references to
settings.SECRET_KEY, but also some more generic utilities, like cookie
signing, that use the secret key, but that various other parts of Django
then depend upon.
--
Ticket URL: <https://code.djangoproject.com/ticket/22310>
Django <https://code.djangoproject.com/>
The Web framework for perfectionists with deadlines.
--
You received this message because you are subscribed to the Google Groups
"Django updates" group.
To unsubscribe from this group and stop receiving emails from it, send an email
to [email protected].
To post to this group, send email to [email protected].
To view this discussion on the web visit
https://groups.google.com/d/msgid/django-updates/048.90c09b7cf777c94da4de15511ce5f2e1%40djangoproject.com.
For more options, visit https://groups.google.com/d/optout.
