Fixed #30360 -- Added support for secret key rotation.

Thanks Florian Apolloner for the implementation idea. Co-authored-by: Andreas Pelme <andreas@pelme.se> Co-authored-by: Carlton Gibson <carlton.gibson@noumenal.es> Co-authored-by: Vuyisile Ndlovu <terrameijar@gmail.com>
author: tschilling <schillingt@better-simple.com> 2021-12-13 21:47:03 -0600
committer: Mariusz Felisiak <felisiak.mariusz@gmail.com> 2022-02-01 11:12:24 +0100
commit: 0dcd549bbe36c060f536ec270d34d9e7d4b8e6c7 (patch)
tree: 8b350cec1ab50d21cf6e3afd03f3db5f02fb1679 /docs/topics/security.txt
parent: ba4a6880d1783190de4081bd456d934beb45cb19 (diff)
1 files changed, 2 insertions, 1 deletions
diff --git a/docs/topics/security.txt b/docs/topics/security.txt
index ee7c7f542b..abc8d5d6ac 100644
--- a/docs/topics/security.txt
+++ b/docs/topics/security.txt
@@ -296,7 +296,8 @@ security protection of the web server, operating system and other components.
 * Django does not throttle requests to authenticate users. To protect against
   brute-force attacks against the authentication system, you may consider
   deploying a Django plugin or web server module to throttle these requests.
-* Keep your :setting:`SECRET_KEY` a secret.
+* Keep your :setting:`SECRET_KEY`, and :setting:`SECRET_KEY_FALLBACKS` if in
+  use, secret.
 * It is a good idea to limit the accessibility of your caching system and
   database using a firewall.
 * Take a look at the Open Web Application Security Project (OWASP) `Top 10
author	tschilling <schillingt@better-simple.com>	2021-12-13 21:47:03 -0600
committer	Mariusz Felisiak <felisiak.mariusz@gmail.com>	2022-02-01 11:12:24 +0100
commit	0dcd549bbe36c060f536ec270d34d9e7d4b8e6c7 (patch)
tree	8b350cec1ab50d21cf6e3afd03f3db5f02fb1679 /docs/topics/security.txt
parent	ba4a6880d1783190de4081bd456d934beb45cb19 (diff)