p31829507
/
django
mirror of https://github.com/django/django.git
1
0
Fork 0
Code Issues Projects Releases Wiki Activity

Fixed #22310 -- Documented exact usage of SECRET_KEY 

Thanks to Tim Graham for the review.
This commit is contained in:
Erik Romijn 2014-09-20 10:05:03 +02:00
parent 8c581ff394
commit 4ad57bbe31
1 changed files with 23 additions and 0 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

23
docs/ref/settings.txt
View File

@ -2004,6 +2004,29 @@ Django will refuse to start if :setting:`SECRET_KEY` is not set.
security protections, and can lead to privilege escalation and remote code security protections, and can lead to privilege escalation and remote code
execution vulnerabilities. execution vulnerabilities.
The secret key is used for:
* All :doc:`sessions </topics/http/sessions>` if you are using
any other session backend than ``"django.contrib.sessions.backends.cache"``,
or if you use
:class:`~django.contrib.auth.middleware.SessionAuthenticationMiddleware`
and are using the default
:meth:`~django.contrib.auth.models.AbstractBaseUser.get_session_auth_hash()`.
* All :doc:`messages </ref/contrib/messages>` if you are using
:class:`~django.contrib.messages.storage.cookie.CookieStorage` or
:class:`~django.contrib.messages.storage.fallback.FallbackStorage`.
* :doc:`Form wizard </ref/contrib/formtools/form-wizard>` progress when using
cookie storage with
:class:`django.contrib.formtools.wizard.views.CookieWizardView`.
* All :func:`~django.contrib.auth.views.password_reset` tokens.
* All in progress :doc:`form previews </ref/contrib/formtools/form-preview>`.
* Any usage of :doc:`cryptographic signing </topics/signing>`, unless a
different key is provided.
If you rotate your secret key, all of the above will be invalidated.
Secret keys are not used for passwords of users and key rotation will not
affect them.
.. setting:: SECURE_BROWSER_XSS_FILTER .. setting:: SECURE_BROWSER_XSS_FILTER
SECURE_BROWSER_XSS_FILTER SECURE_BROWSER_XSS_FILTER