Django Secret Key

Description

General

• Documentation: https://docs.djangoproject.com/en/2.2/ref/settings/#std:setting-SECRET_KEY
• Summary: The Django secret key is used to provide cryptographic signing. This key is mostly used to sign session cookies. If one were to have this key, they would be able to modify the cookies sent by the application.

Revoke the secret

To revoke the key, a new secret needs to be generated. All sessions or cookies signed with the key will be invalided.

Check for suspicious activity

Django doesn't provide a way to check for suspicious activity.

Details for Secret key in django config

• Family: Other

• Category: Other

• High recall: False

• Validity check available: False

• Minimum number of matches: 1

• Occurrences found for one million commits: 47.43

• Prefixed: False

• PreValidators:

- type: FilenameBanlistPreValidator
  banlist_extensions: []
  banlist_filenames:
    - advanced-django2019/
    - basic_django/
    - codingtest
    - course
    - demo/
    - dev.*\.py$
    - django-simple-select/
    - django_blog/
    - example/
    - example\.py$
    - examples/
    - exercise
    - gettingstarted/
    - local\.py$
    - shop_projectws9/
    - test/
    - test\.py$
    - trydjango/
    - tutorial/
    - tutorialdjango/
  check_binaries: false
  include_default_banlist_extensions: true
  ban_markup: true
- type: ContentWhitelistPreValidator
  patterns:
    - django
- type: ContentWhitelistPreValidator
  patterns:
    - django_secret
    - secret_key

Examples

- text: |
    +SECRET_KEY = os.environ.get('DJANGO_SECRET_KEY','wwf*2#86t64!fgh6yav$aoeuo@u2o@fy&*gg76q!&%6x_wbduad')
  apikey: 'wwf*2#86t64!fgh6yav$aoeuo@u2o@fy&*gg76q!&%6x_wbduad'
- text: |
    +SECRET_KEY = os.environ.get('DJANGO_SECRET_KEY','wwf*2#86t64!fgh6yav$aoeuo@u2o@fy&*gg76q!&%6x_wbduad')
  apikey: 'wwf*2#86t64!fgh6yav$aoeuo@u2o@fy&*gg76q!&%6x_wbduad'