pythondjangosecurityencryption

What's the purpose of Django setting ‘SECRET_KEY’?


I did a few Google searches and checked out the Django Documentation, but I was looking for a more in-depth explanation of this, and why it is required.

For example, what could happen if the key was compromised / others knew what it was?


Solution

  • It is used for making hashes. Look:

    >grep -Inr SECRET_KEY *
    conf/global_settings.py:255:SECRET_KEY = ''
    conf/project_template/settings.py:61:SECRET_KEY = ''
    contrib/auth/tokens.py:54:        hash = sha_constructor(settings.SECRET_KEY + unicode(user.id) +
    contrib/comments/forms.py:86:        info = (content_type, object_pk, timestamp, settings.SECRET_KEY)
    contrib/formtools/utils.py:15:    order, pickles the result with the SECRET_KEY setting, then takes an md5
    contrib/formtools/utils.py:32:    data.append(settings.SECRET_KEY)
    contrib/messages/storage/cookie.py:112:        SECRET_KEY, modified to make it unique for the present purpose.
    contrib/messages/storage/cookie.py:114:        key = 'django.contrib.messages' + settings.SECRET_KEY
    contrib/sessions/backends/base.py:89:        pickled_md5 = md5_constructor(pickled + settings.SECRET_KEY).hexdigest()
    contrib/sessions/backends/base.py:95:        if md5_constructor(pickled + settings.SECRET_KEY).hexdigest() != tamper_check:
    contrib/sessions/backends/base.py:134:        # Use settings.SECRET_KEY as added salt.
    contrib/sessions/backends/base.py:143:                       settings.SECRET_KEY)).hexdigest()
    contrib/sessions/models.py:16:        pickled_md5 = md5_constructor(pickled + settings.SECRET_KEY).hexdigest()
    contrib/sessions/models.py:59:        if md5_constructor(pickled + settings.SECRET_KEY).hexdigest() != tamper_check:
    core/management/commands/startproject.py:32:        # Create a random SECRET_KEY hash, and put it in the main settings.
    core/management/commands/startproject.py:37:        settings_contents = re.sub(r"(?<=SECRET_KEY = ')'", secret_key + "'", settings_contents)
    middleware/csrf.py:38:                % (randrange(0, _MAX_CSRF_KEY), settings.SECRET_KEY)).hexdigest()
    middleware/csrf.py:41:    return md5_constructor(settings.SECRET_KEY + session_id).hexdigest()