Fixed #30360 -- Added support for secret key rotation.

Thanks Florian Apolloner for the implementation idea. Co-authored-by: Andreas Pelme <andreas@pelme.se> Co-authored-by: Carlton Gibson <carlton.gibson@noumenal.es> Co-authored-by: Vuyisile Ndlovu <terrameijar@gmail.com>
author: tschilling <schillingt@better-simple.com> 2021-12-13 21:47:03 -0600
committer: Mariusz Felisiak <felisiak.mariusz@gmail.com> 2022-02-01 11:12:24 +0100
commit: 0dcd549bbe36c060f536ec270d34d9e7d4b8e6c7 (patch)
tree: 8b350cec1ab50d21cf6e3afd03f3db5f02fb1679 /docs/howto/deployment
parent: ba4a6880d1783190de4081bd456d934beb45cb19 (diff)
1 files changed, 16 insertions, 0 deletions
diff --git a/docs/howto/deployment/checklist.txt b/docs/howto/deployment/checklist.txt
index 929f19dbfc..45ca2be30e 100644
--- a/docs/howto/deployment/checklist.txt
+++ b/docs/howto/deployment/checklist.txt
@@ -59,6 +59,22 @@ or from a file::
     with open('/etc/secret_key.txt') as f:
         SECRET_KEY = f.read().strip()
 
+If rotating secret keys, you may use :setting:`SECRET_KEY_FALLBACKS`::
+
+    import os
+    SECRET_KEY = os.environ['CURRENT_SECRET_KEY']
+    SECRET_KEY_FALLBACKS = [
+        os.environ['OLD_SECRET_KEY'],
+    ]
+
+Ensure that old secret keys are removed from ``SECRET_KEY_FALLBACKS`` in a
+timely manner.
+
+.. versionchanged:: 4.1
+
+    The ``SECRET_KEY_FALLBACKS`` setting was added to support rotating secret
+    keys.
+
 :setting:`DEBUG`
 ----------------
author	tschilling <schillingt@better-simple.com>	2021-12-13 21:47:03 -0600
committer	Mariusz Felisiak <felisiak.mariusz@gmail.com>	2022-02-01 11:12:24 +0100
commit	0dcd549bbe36c060f536ec270d34d9e7d4b8e6c7 (patch)
tree	8b350cec1ab50d21cf6e3afd03f3db5f02fb1679 /docs/howto/deployment
parent	ba4a6880d1783190de4081bd456d934beb45cb19 (diff)