[Django] #22310: Document exact usage of and consequences of rotating SECRET_KEY
Django
-------------------------------+--------------------
Reporter: erikr | Owner: nobody
Type: Uncategorized | Status: new
Component: Documentation | Version: master
Severity: Normal | Keywords:
Triage Stage: Unreviewed | Has patch: 0
Easy pickings: 1 | UI/UX: 0
-------------------------------+--------------------
Occasionally, people have accidents with their secret keys. It is somehow
leaked, or they discover that they haven't stored it as securely as they
should have. The trivial fix is to rotate your secret key. However, the
secret key is used in various places, and this may invalidate existing
tokens, sessions, etc. For example, if I remember correctly, secret keys
form part of signed cookies and password reset tokens - but not password
hashes.
We should document where exactly secret keys are being used, and therefore
which data will be invalidated as soon as you rotate your secret key. This
helps people understand what's going to happen, and will make sure nobody
keeps an unsafe secret key because they are afraid of rotating it.
This requires some digging: there are of course many direct references to
settings.SECRET_KEY, but also some more generic utilities, like cookie
signing, that use the secret key, but that various other parts of Django
then depend upon.
--
Ticket URL: <https://code.djangoproject.com/ticket/22310>
Django <https://code.djangoproject.com/>
The Web framework for perfectionists with deadlines.
Django
Reporter: erikr | Owner: nobody
Type: Cleanup/optimization | Status: new
Component: Documentation | Version: master
Severity: Normal | Resolution:
Keywords: | Triage Stage: Accepted
Has patch: 0 | Needs documentation: 0
Needs tests: 0 | Patch needs improvement: 0
Easy pickings: 1 | UI/UX: 0
Changes (by claudep):
* needs_better_patch: => 0
* needs_docs: => 0
* type: Uncategorized => Cleanup/optimization
* needs_tests: => 0
* stage: Unreviewed => Accepted
--
Ticket URL: <https://code.djangoproject.com/ticket/22310#comment:1>
Django
Reporter: erikr | Owner: nobody
Type: Cleanup/optimization | Status: new
Component: Documentation | Version: master
Severity: Normal | Resolution:
Keywords: | Triage Stage: Accepted
Has patch: 0 | Needs documentation: 0
Easy pickings: 1 | UI/UX: 0
Comment (by russellm):
Agreed this is a good idea.
A related issue is #20081, which would minimise the risk of a "leak to
version control" of the `SECRET_KEY`.
--
Ticket URL: <https://code.djangoproject.com/ticket/22310#comment:2>
Django
Reporter: erikr | Owner: Zulu
Type: Cleanup/optimization | Status: assigned
Component: Documentation | Version: master
Severity: Normal | Resolution:
Keywords: | Triage Stage: Accepted
Has patch: 0 | Needs documentation: 0
Easy pickings: 1 | UI/UX: 0
Changes (by Zulu):
* status: new => assigned
* owner: nobody => Zulu
--
Ticket URL: <https://code.djangoproject.com/ticket/22310#comment:3>
Django
Reporter: erikr | Owner: Zulu
Type: Cleanup/optimization | Status: assigned
Severity: Normal | Resolution:
Keywords: | Triage Stage: Accepted
Has patch: 0 | Needs documentation: 0
Easy pickings: 1 | UI/UX: 0
Comment (by Zulu):
Where does this doc should be included ?
--
Ticket URL: <https://code.djangoproject.com/ticket/22310#comment:4>
Django
Reporter: erikr | Owner: Zulu
Type: Cleanup/optimization | Status: assigned
Severity: Normal | Resolution:
Keywords: | Triage Stage: Accepted
Has patch: 0 | Needs documentation: 0
Easy pickings: 1 | UI/UX: 0
Comment (by erikr):
I think https://docs.djangoproject.com/en/dev/topics/signing/ might be the
best place, as that's what SECRET_KEY is already described as being used
for from the settings documentation.
--
Ticket URL: <https://code.djangoproject.com/ticket/22310#comment:5>
Django
Reporter: erikr | Owner: Zulu
Type: Cleanup/optimization | Status: assigned
Severity: Normal | Resolution:
Keywords: | Triage Stage: Accepted
Has patch: 0 | Needs documentation: 0
Easy pickings: 1 | UI/UX: 0
Comment (by Zulu):
Hello erikr,
My work is available at
https://github.com/ZuluPro/django/commit/5f8e017c6d2378251d3a68a346b01b19a4293cf7
Tell if you want me to go more in depth.
Thanks
--
Ticket URL: <https://code.djangoproject.com/ticket/22310#comment:6>
Django
Reporter: erikr | Owner: Zulu
Type: Cleanup/optimization | Status: assigned
Severity: Normal | Resolution:
Keywords: | Triage Stage: Accepted
Needs tests: 0 | Patch needs improvement: 1
Easy pickings: 1 | UI/UX: 0
Changes (by erikr):
* needs_better_patch: 0 => 1
* has_patch: 0 => 1
Comment:
Thanks for the patch, but I had something a bit more practical in mind.
More like (contents all fictional):
{{{
The secret key is used for:
* Password reset tokens
* Session using the FooBarBackend
* Signed cookies you may have set yourself using .....
* ...
If you rotate your secret key, all of the above will be invalidated.
Secret keys are not used, and rotation therefore will not affect:
* Password stored for users
* Sessions using other backends than FooBarBackend
* ...
}}}
The second list would not be exhaustive, just some items where confusion
is more likely.
--
Ticket URL: <https://code.djangoproject.com/ticket/22310#comment:7>
Django
Reporter: erikr | Owner: erikr
Type: Cleanup/optimization | Status: assigned
Component: Documentation | Version: master
Severity: Normal | Resolution:
Keywords: | Triage Stage: Accepted
Has patch: 1 | Needs documentation: 0
Needs tests: 0 | Patch needs improvement: 1
Changes (by erikr):
* owner: Zulu => erikr
Comment:
I am currently working on this, but it'll have to wait on #22638.
--
Ticket URL: <https://code.djangoproject.com/ticket/22310#comment:8>
Django
Reporter: erikr | Owner: erikr
Type: Cleanup/optimization | Status: assigned
Severity: Normal | Resolution:
Keywords: | Triage Stage: Accepted
Has patch: 1 | Needs documentation: 0
Needs tests: 0 | Patch needs improvement: 1
--------------------------------------+------------------------------------
Changes (by timo):
* easy: 1 => 0
--
Ticket URL: <https://code.djangoproject.com/ticket/22310#comment:9>
Django
Reporter: erikr | Owner: erikr
Type: Cleanup/optimization | Status: assigned
Severity: Normal | Resolution:
Keywords: | Triage Stage: Accepted
Has patch: 1 | Needs documentation: 0
Easy pickings: 0 | UI/UX: 0
--------------------------------------+------------------------------------
* needs_better_patch: 1 => 0
Comment:
PR: https://github.com/django/django/pull/3245
--
Ticket URL: <https://code.djangoproject.com/ticket/22310#comment:10>
Django
Reporter: erikr | Owner: erikr
Type: | Status: assigned
Cleanup/optimization | Version: master
Component: Documentation | Resolution:
Severity: Normal | Triage Stage: Ready for
Keywords: | checkin
Has patch: 1 | Needs documentation: 0
Needs tests: 0 | Patch needs improvement: 0
Easy pickings: 0 | UI/UX: 0
Changes (by timgraham):
* stage: Accepted => Ready for checkin
--
Ticket URL: <https://code.djangoproject.com/ticket/22310#comment:11>
Django
Reporter: erikr | Owner: erikr
Cleanup/optimization | Version: master
Component: Documentation | Resolution: fixed
Severity: Normal | Triage Stage: Ready for
Keywords: | checkin
Has patch: 1 | Needs documentation: 0
Needs tests: 0 | Patch needs improvement: 0
Easy pickings: 0 | UI/UX: 0
-------------------------------------+-------------------------------------
* status: assigned => closed
* resolution: => fixed
Comment:
In [changeset:"4ad57bbe31bc1813264824111de2f9f74dbda0d6"]:
{{{
#!CommitTicketReference repository=""
revision="4ad57bbe31bc1813264824111de2f9f74dbda0d6"
Fixed #22310 -- Documented exact usage of SECRET_KEY
Thanks to Tim Graham for the review.
}}}
--
Ticket URL: <https://code.djangoproject.com/ticket/22310#comment:12>
Django
Reporter: erikr | Owner: erikr
Type: | Status: closed
Cleanup/optimization | Version: master
Component: Documentation | Resolution: fixed
Severity: Normal | Triage Stage: Ready for
Keywords: | checkin
Has patch: 1 | Needs documentation: 0
Needs tests: 0 | Patch needs improvement: 0
Easy pickings: 0 | UI/UX: 0
-------------------------------------+-------------------------------------
Comment (by Erik Romijn <eromijn@…>):
In [changeset:"ab8afafcc06b4d1f306459756a74eee3392b782d"]:
{{{
#!CommitTicketReference repository=""
revision="ab8afafcc06b4d1f306459756a74eee3392b782d"
[1.7.x] Fixed #22310 -- Documented exact usage of SECRET_KEY
Backport of 4ad57bbe31bc1813264824111de2f9f74dbda0d6 from master.
}}}
--
Ticket URL: <https://code.djangoproject.com/ticket/22310#comment:13>