*full_stack* should be false only in case you want to totally disable the error management (no error reporting and no error pages). Which is usually not the case.
Also note that *full_stack* in .ini files has no effect, it is actually only meaningful when changed in *config/middleware.py* I think it's still in development.ini only for historical reason and it would make sense to remove it. Most of them has already been explained before, but I'll try to recap the most important production variables here: [DEFAULT] debug = false (disables interactive debugger, leaving this to true is a huge security issue) [DEFAULT] trace_errors.* (all those options are related to sending errors by email when website crashes or it is slow) [app:main] beaker.session.secret (this is related to session itself, not related to authentication) [app:main] auto_reload_templates = false (speed boost in production when set to false) [app:main] serve_static = false (won't serve files from public/ anymore, it's a speed boost if you have a proxy server like apache/nginx serving static files for you) config/app_cfg.py base_config.sa_auth.cookie_secret (this is the actual secret part of you authentication cookie) Both session secret and cookie secret are randomly generated, so unless your source code is public is fairly safe to leave the default value. If your app is open source you want to change them. On Sun, Oct 19, 2014 at 4:42 PM, Petru Ciobanu <[email protected]> wrote: > maybe there is something wrong but I'm checking this options too: > > - [app:main], *full_stack = false* > - [app:main], ensure that *auto_reload_templates = False* to boost > performance but you should read carefully respective comments. > - [sa_auth], check that *cookie_secret* is a secret, if you use cookie > based authentication or change to something better > - [DEFAULT], create a valid configuration for *error notifications*, > for example by email. > - > > > On 19 October 2014 14:43, Raj <[email protected]> wrote: > >> I would like to like to know the list of essential *security related* >> things needs to be performed before making a TG based application live on >> the web. >> For example: >> >> - In your *production.ini* file, under section [DEFAULT], set the >> value of *debug* to *false* >> - In your *production.ini* file, under section [app:main], change >> the value of *beaker.session.secret* >> >> Can anybody contribute to this list? >> >> -- >> You received this message because you are subscribed to the Google Groups >> "TurboGears" group. >> To unsubscribe from this group and stop receiving emails from it, send an >> email to [email protected]. >> To post to this group, send email to [email protected]. >> Visit this group at http://groups.google.com/group/turbogears. >> For more options, visit https://groups.google.com/d/optout. >> > > -- > You received this message because you are subscribed to the Google Groups > "TurboGears" group. > To unsubscribe from this group and stop receiving emails from it, send an > email to [email protected]. > To post to this group, send email to [email protected]. > Visit this group at http://groups.google.com/group/turbogears. > For more options, visit https://groups.google.com/d/optout. > -- You received this message because you are subscribed to the Google Groups "TurboGears" group. To unsubscribe from this group and stop receiving emails from it, send an email to [email protected]. To post to this group, send email to [email protected]. Visit this group at http://groups.google.com/group/turbogears. For more options, visit https://groups.google.com/d/optout.
