From b7f500396e05cd1f0bb8901fce16e2d8393d2779 Mon Sep 17 00:00:00 2001 From: Artem Kosenko Date: Mon, 13 Jul 2020 20:40:38 +0300 Subject: Fixed #31757 -- Adjusted system check for SECRET_KEY to warn about autogenerated default keys. MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit Thanks Nick Pope, René Fleschenberg, and Carlton Gibson for reviews. --- docs/ref/checks.txt | 9 +++++---- 1 file changed, 5 insertions(+), 4 deletions(-) (limited to 'docs') diff --git a/docs/ref/checks.txt b/docs/ref/checks.txt index b7f941ff83..2ac5d4cb1d 100644 --- a/docs/ref/checks.txt +++ b/docs/ref/checks.txt @@ -437,10 +437,11 @@ The following checks are run if you use the :option:`check --deploy` option: ``True``. Unless your site should be available over both SSL and non-SSL connections, you may want to either set this setting to ``True`` or configure a load balancer or reverse-proxy server to redirect all connections to HTTPS. -* **security.W009**: Your :setting:`SECRET_KEY` has less than 50 characters or - less than 5 unique characters. Please generate a long and random - ``SECRET_KEY``, otherwise many of Django's security-critical features will be - vulnerable to attack. +* **security.W009**: Your :setting:`SECRET_KEY` has less than 50 characters, + less than 5 unique characters, or it's prefixed with ``'django-insecure-'`` + indicating that it was generated automatically by Django. Please generate a + long and random ``SECRET_KEY``, otherwise many of Django's security-critical + features will be vulnerable to attack. * **security.W010**: You have :mod:`django.contrib.sessions` in your :setting:`INSTALLED_APPS` but you have not set :setting:`SESSION_COOKIE_SECURE` to ``True``. Using a secure-only session -- cgit v1.3