Remover SECRET_KEY padrão #244

rougeth · 2022-05-07T17:26:00Z

Enquanto revisava as variáveis de ambiente definidas no Heroku (referência apyb/tarefas#60), percebi que a SECRET_KEY não estava definida. Ao ler o settings.py, vi que essa variável tem um valor padrão definido no código fonte do site.

Precisamos remover o valor padrão do SECRET_KEY.

Warning

Keep this value secret.

Running Django with a known SECRET_KEY defeats many of Django’s security protections, and can lead to privilege escalation and remote code execution vulnerabilities.

Documentação do Django sobre SECRET_KEY: https://docs.djangoproject.com/en/4.0/ref/settings/#std:setting-SECRET_KEY

associados/associados/settings.py

Lines 106 to 109 in a7a756e

    
           SECRET_KEY = decouple.config( 
        
               'SECRET_KEY', 
        
               default='yc!+ii!psza0mi)&amp;vnn_rdsip5ipdyr(0w8hjllxw6p)!wgo1e' 
        
           )

The text was updated successfully, but these errors were encountered:

rougeth added Bug Precisa de Ajuda Issues que precisam da ajuda da comunidade para serem resolvidas labels May 7, 2022

rougeth mentioned this issue May 7, 2022

Heroku Security Incident [2413] apyb/tarefas#60

Closed

3 tasks

Provide feedback

Saved searches

Use saved searches to filter your results more quickly

Remover SECRET_KEY padrão #244

Remover SECRET_KEY padrão #244

rougeth commented May 7, 2022

Remover SECRET_KEY padrão #244

Remover SECRET_KEY padrão #244

Comments

rougeth commented May 7, 2022