Browse files

Fixed #18759 -- updated SECRET_KEY documentation

  Document SECRET_KEY becoming required in 1.5.

  Also expand the description slightly, and add a more prominent warning
  about the security implications of running with an exposed SECRET_KEY.
  • Loading branch information...
1 parent fd04e71 commit e38112d882a8aec0aaf6d52ab6d07fa1a408a3aa @pjdelport pjdelport committed with DrMeers Aug 13, 2012
Showing with 17 additions and 3 deletions.
  1. +17 −3 docs/ref/settings.txt
@@ -1537,9 +1537,23 @@ SECRET_KEY
Default: ``''`` (Empty string)
-A secret key for this particular Django installation. Used to provide a seed in
-secret-key hashing algorithms. Set this to a random string -- the longer, the
-better. `` startproject`` creates one automatically.
+A secret key for a particular Django installation. This is used to provide
+:doc:`cryptographic signing </topics/signing>`, and should be set to a unique,
+unpredictable value.
+:djadmin:` startproject <startproject>` automatically adds a
+randomly-generated ``SECRET_KEY`` to each new project.
+.. warning::
+ **Keep this value secret.**
+ Running Django with a known :setting:`SECRET_KEY` defeats many of Django's
+ security protections, and can lead to privilege escalation and remote code
+ execution vulnerabilities.
+.. versionchanged:: 1.5
+ Django will now refuse to start if :setting:`SECRET_KEY` is not set.

0 comments on commit e38112d

Please sign in to comment.