Django weak secret key
Description
Django uses a SECRET_KEY configuration value to cryptographically sign session cookies, preventing unauthorized modification of session data. This application is configured with a weak, default, or publicly known secret key that can be easily guessed or discovered by attackers. When the secret key is compromised, the cryptographic protection of session cookies becomes ineffective, allowing attackers to forge or manipulate session data.
Remediation
Generate a new, cryptographically strong SECRET_KEY value and update your Django configuration immediately. The secret key should be at least 50 characters long, contain a mix of letters, numbers, and special characters, and be randomly generated. Update the SECRET_KEY in your settings.py file:<br/><br/><pre># settings.py SECRET_KEY = 'your-new-randomly-generated-secret-key-here' # You can generate a secure key using Python: # python -c 'from django.core.management.utils import get_random_secret_key; print(get_random_secret_key())'</pre><br/>Store the secret key securely using environment variables or a secrets management system rather than hardcoding it in your source code. Never commit the secret key to version control. After changing the key, all existing sessions will be invalidated and users will need to log in again.