Cookie signed with weak secret key
Description
The application uses a weak or commonly known secret key to sign cookies with HMAC (Hash-based Message Authentication Code). Cookie signatures are designed to prevent tampering by ensuring that only parties who know the secret key can create valid cookies. When a weak or default secret key is used, attackers can discover the key and forge authenticated cookies, bypassing this security control entirely.
Remediation
Replace the weak secret key with a cryptographically strong random value. The secret key should be at least 32 bytes (256 bits) of random data, generated using a cryptographically secure random number generator. Store the secret key securely in environment variables or a secrets management system—never hardcode it in source code or configuration files committed to version control.<br/><br/>Example for generating a strong secret key:<br/><pre># Generate a secure random secret (Linux/Mac) openssl rand -base64 32 # Or using Python python -c "import secrets; print(secrets.token_urlsafe(32))"</pre><br/>Example implementation (Python Flask):<br/><pre>import os # Load from environment variable app.config['SECRET_KEY'] = os.environ.get('SECRET_KEY') # Verify it's set and strong if not app.config['SECRET_KEY'] or len(app.config['SECRET_KEY']) < 32: raise ValueError('SECRET_KEY must be set and at least 32 characters')</pre><br/>After changing the secret key, all existing signed cookies will be invalidated and users will need to re-authenticate.