Flask and Django require a Securely signed key for singing the session cookies. most of the time developers rely on load hardcoded secret keys from a config file or python code. this proves that the way of hardcoded secret can make problems when you forgot to change the constant secret keys.

In Flask Consider using a secure random generator with Python standard secrets library

In Django Consider using a secure random generator with "get_random_secret_key()"" method from "django.core.management.utils".

Safe Django SECRET_KEY

Unsafe Django SECRET_KEY Example:

Safe Flask SECRET_KEY Example:

Unsafe Flask SECRET_KEY Example:

config1.py

config2.py

config3.py

__init__.py
  • Flask Documentation
  • Django Documentation
  • Flask-JWT-Extended Documentation
  • CVE-2023-27524 - Apache Superset had multiple CVEs related to this kind of Vulnerability
  • CVE-2020-17526 - Apache Airflow had multiple CVEs related to this kind of Vulnerability
  • CVE-2021-41192 - Redash was assigning a environment variable with a default value which it was assigning the default secrect if the environment variable does not exists