Countly · cihadtekin · Mar 25, 2026 · Mar 24, 2026 · Mar 25, 2026 · Mar 25, 2026
diff --git a/CHANGELOG.md b/CHANGELOG.md
@@ -1,10 +1,14 @@
 ## Version 25.03.X
 Fixes:
 - [hooks] Implement domain/ip address validation for hooks with http effect
+- [reports] Hardcoded default secret for the e-mails converted to be randomly generated.
+
+Enterprise fixes:
+- [drill] Hide redacted user properties in filters
 
 Dependencies:
 - Bump countly-sdk-web from 26.1.0 to 26.1.1
-- Bump ejs from 4.0.1 to 5.0.1 
+- Bump ejs from 4.0.1 to 5.0.1
 - Bump express-rate-limit from 8.3.0 to 8.3.1
 - Bump fast-xml-parser from 5.4.1 to 5.5.7 in /plugins/push
 - Bump flatted from 3.3.4 to 3.4.2
@@ -45,15 +49,15 @@ Dependencies:
 - Bump basic-ftp from 5.1.0 to 5.2.0
 - Bump cypress from 15.10.0 to 15.11.0 in /ui-tests
 - Bump fast-xml-parser and @google-cloud/storage in /plugins/push
-- Bump geoip-lite from 1.4.10 to 2.0.0 
+- Bump geoip-lite from 1.4.10 to 2.0.0
 - Bump minimatch from 9.0.5 to 9.0.9 in /api/utils/countly-request
-- Bump minimatch from 9.0.5 to 9.0.9 in /plugins/hooks 
+- Bump minimatch from 9.0.5 to 9.0.9 in /plugins/hooks
 - Bump nodemailer from 7.0.13 to 8.0.1
 - Bump qs from 6.14.1 to 6.14.2
 - Bump rollup from 4.56.0 to 4.59.0 in /plugins/journey_engine
 - Bump swiper from 12.0.3 to 12.1.2 in /plugins/content
 - Bump systeminformation from 5.30.5 to 5.31.1 in /ui-tests
-- Bump tar-stream from 3.1.7 to 3.1.8 in /plugins/system-utility 
+- Bump tar-stream from 3.1.7 to 3.1.8 in /plugins/system-utility
 
 ## Version 25.03.36
 Enterprise fixes:
@@ -94,7 +98,7 @@ Enterprise Fixes:
 ## Version 25.03.33
 Fixes:
 - [compliance-hub] Correctly merge user history on user merge
-- [core] Ensured usage of local fonts. 
+- [core] Ensured usage of local fonts.
 - [events] Fixed issue with page reloading on error
 - [push] re-schedule on a message update for auto triggers as well
 - [remote-config] Fix searching for parameter in experiment variants

diff --git a/plugins/reports/api/reports.js b/plugins/reports/api/reports.js
@@ -20,8 +20,17 @@ var reportsInstance = {},
 
 countlyConfig.passwordSecret || "";
 
+/**
+ * Generates a cryptographically secure random string of the given length.
+ * @param {number} length - desired string length
+ * @returns {string} random hex string truncated to the given length
+ */
+function generateRandomString(length) {
+    return crypto.randomBytes(Math.ceil(length / 2)).toString('hex').slice(0, length);
+}
+
 plugins.setConfigs("reports", {
-    secretKey: countlyApiConfig?.encryption?.reports_key || "Ydqa7Omkd3yhV33M3iWV1oFcOEk898h9",
+    secretKey: countlyApiConfig?.encryption?.reports_key || generateRandomString(32),
 });
 
 versionInfo.page = (!versionInfo.title) ? "https://count.ly" : null;