BottlePy weak secret key
Description
The Bottle web framework uses signed cookies to store user data securely, protecting against tampering by signing cookie values with a secret key. This vulnerability occurs when the application uses a weak, default, or publicly known secret key for cookie signing. The scanner successfully identified and guessed the secret key being used, indicating it is not sufficiently random or has been exposed.
Remediation
Immediately replace the weak secret key with a cryptographically strong random value. Generate a secret key of at least 32 characters using a secure random generator. Update your Bottle application configuration as follows:
import os
import secrets
# Generate a secure random secret (do this once, then store securely)
secret_key = secrets.token_hex(32) # 64-character hex string
# In your Bottle app configuration
app = Bottle()
app.config['SECRET_KEY'] = secret_key
# Or when using the secret parameter directly
response.set_cookie('name', 'value', secret=secret_key)Store the generated secret key securely in environment variables or a secrets management system rather than hardcoding it in source code. Never commit secret keys to version control. Rotate the secret key immediately and monitor for any suspicious activity that may have occurred while the weak key was in use.