Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Update default SECRET_KEY value #810

Open
danielfmiranda opened this issue Jan 9, 2024 · 0 comments
Open

Update default SECRET_KEY value #810

danielfmiranda opened this issue Jan 9, 2024 · 0 comments

Comments

@danielfmiranda
Copy link
Contributor

From Stakeholders:
“…we received a security report related to https://github.com/mozilla/network-pulse-api. The security report mentions hard coded secret keys in the repo.”

After taking a look through the repo, I can see that the same “secret key” value is being hardcoded in the following places:
sample.env
travis.yml
appveyor.yml
ci.yml

After taking a look at the site settings in heroku, I can confirm that the key found in the files above are not the secret key used in production.

However, we should update this "default" secret key value to something that is a little less confusing.

Something along the lines of:

SECRET_KEY=mydummykey  # Only for testing purposes, do not use in production

should work.
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
1 participant
@danielfmiranda