[Question] What is SECRET_KEY used in superset for?

[anshbansal]

Make sure these boxes are checked before submitting your issue - thank you!

• I have checked the superset logs for python stacktraces and included it here as text if there are any.
• I have reproduced the issue with at least the latest released version of superset.
• I have checked the issue tracker for the same issue and I haven't found one similar.

The documentation at https://superset.incubator.apache.org/installation.html says "SECRET_KEY, to a long random string". It does not explain at all what is this being used for. Can someone please share what is this being used for so that I understand the level of secrecy we need to maintain for the entered value?

[enricoberti]

hi @anshbansal! SECRET_KEY is inherited from Flask itself, it's generally used for anything that requires encryption

[anshbansal]

@enricoberti Can you give some examples what superset uses it for? Just so that I have an idea. I am guessing credentials for the databases? passwords of users? are emails of users encrypted?

[mrshu]

@anshbansal I believe the link @enricoberti provided summarizes it pretty well -- pretty much everything mentioned there directly applies to Superset:

If a secret key is set, cryptographic components can use this to sign cookies and other things. Set this to a complex random value when you want to use the secure cookie for instance.

[mistercrunch]

@anshbansal Superset uses it for database/druid passwords, flask app builder uses it for JWTs and hashing passwords (through werkzeug.security.generate_password_hash), flask-wtforms uses it for CSRF token.

It's a global secret key used throughout the ecosystem.