Skip to content
Browse files

Fixed #22310 -- Added SECRET_KEY usage in docs

Document in topics/signing.html what's arising from
settings.SECRET_KEY in core and contrib.
  • Loading branch information...
1 parent d2f4553 commit 5f8e017c6d2378251d3a68a346b01b19a4293cf7 @ZuluPro committed
Showing with 16 additions and 0 deletions.
  1. +16 −0 docs/topics/signing.txt
16 docs/topics/signing.txt
@@ -34,6 +34,22 @@ When you create a new Django project using :djadmin:`startproject`, the
data -- it is vital you keep this secure, or attackers could use it to
generate their own signed values.
+.. warning::
+ In production, be sure to protect your :setting:`SECRET_KEY`,
+ change it can break modules' data arising like cookies and sessions.
+:setting:`SECRET_KEY` is used by ``django.utils.crypto.salted_hmac``
+which is present in serveral ``django.core`` and ``django.contrib``'s module.
+Basically we can list the following:
+- ``django.core.http.request.HttpRequest``
+- ``django.core.http.response.HttpResponseBase``
+- ````
+- ``django.contrib.sessions.backends.base.SessionBase``
+- ``django.contrib.auth.tokens.PasswordResetTokenGenerator``
+- ``django.contrib.auth.models.AbstractBaseUser.get_session_auth_hash`` (since 1.8)
+- ``django.contrib.formtool.utils.form_hmac``
Using the low-level API

0 comments on commit 5f8e017

Please sign in to comment.
Something went wrong with that request. Please try again.