Edit: This answer is based on django 1.5
SECRET_KEY
is used in a lot of various places, I’ll point out what is impacted by it first and then try to go over that list and give precise explanation of the impact.
The list of things using SECRET_KEY
directly or indirectly:
- JSON object signing
- crypto functions for salted hmacs or seeding the random engine which impacts:
- password reset token
- comment form security to protect against forged POST requests
- form security
- protect against message tampering as the message framework may use cookies to pass messages between views.
- protect session data and create random session keys to avoid tampering as well.
- create random salt for most password hashers
- create random passwords if necessary
- create itself when using
startproject
- create CSRF key
In reality a lot of the items listed here use SECRET_KEY
through django.utils.crypt.get_random_string()
which uses it to seed the random engine. This won’t be impacted by a change in value of SECRET_KEY
.
User experience directly impacted by a change of value are:
- sessions, the data decode will break, that is valid for any session backend (cookies, database, file based or cache).
- password reset token already sent won’t work, users will have to ask a new one.
- comments form (if using
django.contrib.comments
) will not validate if it was requested before the value change and submitted after the value change. I think this is very minor but might be confusing for the user. - messages (from
django.contrib.messages
) won’t validate server-side in the same timing conditions as for comments form.
UPDATE: now working on django 1.9.5, a quick look at the source gives me pretty much the same answers. Might do a thorough inspection later.