diff options
| author | Erik Romijn <eromijn@solidlinks.nl> | 2014-09-20 10:05:03 +0200 |
|---|---|---|
| committer | Erik Romijn <eromijn@solidlinks.nl> | 2014-10-04 09:20:35 +0200 |
| commit | 4ad57bbe31bc1813264824111de2f9f74dbda0d6 (patch) | |
| tree | 78e6714e5e8e706bcae8bdc7fcf14a4f8c5504d2 /docs | |
| parent | 8c581ff39475c1b3b25d60945cc1c73a7f8eb1be (diff) | |
Fixed #22310 -- Documented exact usage of SECRET_KEY
Thanks to Tim Graham for the review.
Diffstat (limited to 'docs')
| -rw-r--r-- | docs/ref/settings.txt | 23 |
1 files changed, 23 insertions, 0 deletions
diff --git a/docs/ref/settings.txt b/docs/ref/settings.txt index 6f2cfefb4b..87536aca97 100644 --- a/docs/ref/settings.txt +++ b/docs/ref/settings.txt @@ -2004,6 +2004,29 @@ Django will refuse to start if :setting:`SECRET_KEY` is not set. security protections, and can lead to privilege escalation and remote code execution vulnerabilities. +The secret key is used for: + +* All :doc:`sessions </topics/http/sessions>` if you are using + any other session backend than ``"django.contrib.sessions.backends.cache"``, + or if you use + :class:`~django.contrib.auth.middleware.SessionAuthenticationMiddleware` + and are using the default + :meth:`~django.contrib.auth.models.AbstractBaseUser.get_session_auth_hash()`. +* All :doc:`messages </ref/contrib/messages>` if you are using + :class:`~django.contrib.messages.storage.cookie.CookieStorage` or + :class:`~django.contrib.messages.storage.fallback.FallbackStorage`. +* :doc:`Form wizard </ref/contrib/formtools/form-wizard>` progress when using + cookie storage with + :class:`django.contrib.formtools.wizard.views.CookieWizardView`. +* All :func:`~django.contrib.auth.views.password_reset` tokens. +* All in progress :doc:`form previews </ref/contrib/formtools/form-preview>`. +* Any usage of :doc:`cryptographic signing </topics/signing>`, unless a + different key is provided. + +If you rotate your secret key, all of the above will be invalidated. +Secret keys are not used for passwords of users and key rotation will not +affect them. + .. setting:: SECURE_BROWSER_XSS_FILTER SECURE_BROWSER_XSS_FILTER |
