Django设置“SECRET_KEY”的目的

What exactly is the point of the SECRET_KEY in django? I did a few google searches and checked out the docs ( https://docs.djangoproject.com/en/dev/ref/settings/#secret-key ), but I was looking for a more in-depth explanation of this, and why it is required.

在django中，SECRET_KEY的确切位置是什么?我做了一些谷歌搜索并检查了文档(https://docs.djangoproject.com/en/dev/ref/settings/#secret-key)，但是我正在寻找对此的更深入的解释，以及为什么需要它。

For example, what could happen if the key was compromised / others knew what it was? Thank you.

例如，如果密钥被泄露了/其他人知道它是什么，会发生什么?谢谢你！

2 个解决方案

#1

It is used for making hashes. Look:

它用于生成散列。看:

>grep -Inr SECRET_KEY *
conf/global_settings.py:255:SECRET_KEY = ''
conf/project_template/settings.py:61:SECRET_KEY = ''
contrib/auth/tokens.py:54:        hash = sha_constructor(settings.SECRET_KEY + unicode(user.id) +
contrib/comments/forms.py:86:        info = (content_type, object_pk, timestamp, settings.SECRET_KEY)
contrib/formtools/utils.py:15:    order, pickles the result with the SECRET_KEY setting, then takes an md5
contrib/formtools/utils.py:32:    data.append(settings.SECRET_KEY)
contrib/messages/storage/cookie.py:112:        SECRET_KEY, modified to make it unique for the present purpose.
contrib/messages/storage/cookie.py:114:        key = 'django.contrib.messages' + settings.SECRET_KEY
contrib/sessions/backends/base.py:89:        pickled_md5 = md5_constructor(pickled + settings.SECRET_KEY).hexdigest()
contrib/sessions/backends/base.py:95:        if md5_constructor(pickled + settings.SECRET_KEY).hexdigest() != tamper_check:
contrib/sessions/backends/base.py:134:        # Use settings.SECRET_KEY as added salt.
contrib/sessions/backends/base.py:143:                       settings.SECRET_KEY)).hexdigest()
contrib/sessions/models.py:16:        pickled_md5 = md5_constructor(pickled + settings.SECRET_KEY).hexdigest()
contrib/sessions/models.py:59:        if md5_constructor(pickled + settings.SECRET_KEY).hexdigest() != tamper_check:
core/management/commands/startproject.py:32:        # Create a random SECRET_KEY hash, and put it in the main settings.
core/management/commands/startproject.py:37:        settings_contents = re.sub(r"(?<=SECRET_KEY = ')'", secret_key + "'", settings_contents)
middleware/csrf.py:38:                % (randrange(0, _MAX_CSRF_KEY), settings.SECRET_KEY)).hexdigest()
middleware/csrf.py:41:    return md5_constructor(settings.SECRET_KEY + session_id).hexdigest()

#2

The Django documentation for cryptographic signing covers the uses of the ‘SECRET_KEY’ setting:

用于加密签名的Django文档包含了' SECRET_KEY '设置的用法:

This value [the SECRET_KEY setting] is the key to securing signed data – it is vital you keep this secure, or attackers could use it to generate their own signed values.

这个值(SECRET_KEY设置)是确保已签名数据的关键——保持这个安全是至关重要的，或者攻击者可以使用它来生成他们自己的签名值。

(This section is also referenced from the Django documentation for the ‘SECRET_KEY’ setting.)

(这个部分也来自Django文档，用于‘SECRET_KEY’设置。)

The cryptographic signing API in Django is available to any app for cryptographically-secure signatures on values. Django itself makes use of this in various higher-level features:

Django中的加密签名API可用于任何应用程序对值进行加密安全签名。Django在各种更高级别的特性中使用了这个特性:

Signing serialised data (e.g. JSON documents).

签署序列化数据(例如JSON文档)。
Unique tokens for a user session, password reset request, messages, etc.

用户会话的唯一令牌、密码重置请求、消息等。
Prevention of cross-site or replay attacks by adding (and then expecting) unique values for the request.

通过为请求添加(然后期望)惟一值来防止跨站点或重播攻击。
Generating a unique salt for hash functions.

为哈希函数生成惟一的salt。

So, the general answer is: There are many things in a Django app which require a cryptographic signature, and the ‘SECRET_KEY’ setting is the key used for those. It needs to have a cryptographically strong amount of entopy (hard for computers to guess) and unique between all Django instances.

所以，一般的答案是:Django应用程序中有很多东西需要密码签名，而‘SECRET_KEY’设置是这些东西的关键。它需要在所有Django实例之间具有大量的密码学(计算机很难猜到)和惟一性。

#1