Pyramid framework weak secret key
Description
The Pyramid web framework uses cryptographically signed cookies to protect session data from tampering. This signature relies on a secret key that must remain confidential. This vulnerability indicates that your application is configured with a weak, default, or publicly known secret key, which Invicti successfully identified. When the secret key is compromised, the cryptographic protection of session cookies becomes ineffective.
Remediation
Immediately replace the weak secret key with a cryptographically strong random value. Generate a secret key of at least 64 characters using a secure random generator. Update your Pyramid configuration file (typically development.ini or production.ini) with the new secret:
[app:main] session.secret = your_new_cryptographically_random_secret_key_here # Example: use Python to generate a secure secret # python -c 'import secrets; print(secrets.token_urlsafe(64))'
Ensure the secret key is stored securely (not in version control), use different secrets for each environment (development, staging, production), and rotate the secret key periodically. After changing the secret, all existing user sessions will be invalidated and users will need to re-authenticate.