librelist archives

Secret_key

Secret_key by dalan.miller@gmail.com
- Re: [flask] Secret_key by Zach Williams
  - Re: [flask] Secret_key by dalan.miller@gmail.com
    - Re: [flask] Secret_key by Zach Williams
      - Re: [flask] Secret_key by Craig Younkins

Secret_key

From:: dalan.miller@gmail.com
Date:: 2011-12-12 @ 03:40

Is it potentially dangerous posting how I create my app.secret_key to
github? Even if it's uniquely generated at the moment the app starts?

Daniel

Re: [flask] Secret_key

From:: Zach Williams
Date:: 2011-12-12 @ 03:49

Most of my repositories show that I use os.urandom to generate the
secret_key: http://flask.pocoo.org/docs/quickstart/#sessions

I think it's fine, but none of my sites really need heavy security
protection.

Another idea might be setting it as an environment variable, if that helps?

Zach

On Sun, Dec 11, 2011 at 7:40 PM, dalan.miller@gmail.com <
dalan.miller@gmail.com> wrote:

> Is it potentially dangerous posting how I create my app.secret_key to
> github? Even if it's uniquely generated at the moment the app starts?
>
> Daniel
>

Re: [flask] Secret_key

From:: dalan.miller@gmail.com
Date:: 2011-12-12 @ 03:54

How would one set an environment variable?

Having os.environ.get('DATABASE_URL') works while the app is in Heroku but
locally I don't have anything set?

I'm finding it a little difficult to mitigate working locally and my app in
Heroku.

Thank you for your help,

Daniel

On Sun, Dec 11, 2011 at 7:49 PM, Zach Williams <hey@zachwill.com> wrote:

> Most of my repositories show that I use os.urandom to generate the
> secret_key: http://flask.pocoo.org/docs/quickstart/#sessions
>
> I think it's fine, but none of my sites really need heavy security
> protection.
>
> Another idea might be setting it as an environment variable, if that helps?
>
> Zach
>
>
> On Sun, Dec 11, 2011 at 7:40 PM, dalan.miller@gmail.com <
> dalan.miller@gmail.com> wrote:
>
>> Is it potentially dangerous posting how I create my app.secret_key to
>> github? Even if it's uniquely generated at the moment the app starts?
>>
>> Daniel
>>
>
>

Re: [flask] Secret_key

From:: Zach Williams
Date:: 2011-12-12 @ 04:01

Here's the Heroku article: http://devcenter.heroku.com/articles/config-vars

    heroku config:add SECRET_KEY=production_secret

Then in Python:

    os.environ.get('SECRET_KEY', 'development_fallback')

Hopefully that should work out for you.

Zach

On Sun, Dec 11, 2011 at 7:54 PM, dalan.miller@gmail.com <
dalan.miller@gmail.com> wrote:

> How would one set an environment variable?
>
> Having os.environ.get('DATABASE_URL') works while the app is in Heroku but
> locally I don't have anything set?
>
> I'm finding it a little difficult to mitigate working locally and my app
> in Heroku.
>
> Thank you for your help,
>
> Daniel
>
>
> On Sun, Dec 11, 2011 at 7:49 PM, Zach Williams <hey@zachwill.com> wrote:
>
>> Most of my repositories show that I use os.urandom to generate the
>> secret_key: http://flask.pocoo.org/docs/quickstart/#sessions
>>
>> I think it's fine, but none of my sites really need heavy security
>> protection.
>>
>> Another idea might be setting it as an environment variable, if that
>> helps?
>>
>> Zach
>>
>>
>> On Sun, Dec 11, 2011 at 7:40 PM, dalan.miller@gmail.com <
>> dalan.miller@gmail.com> wrote:
>>
>>> Is it potentially dangerous posting how I create my app.secret_key to
>>> github? Even if it's uniquely generated at the moment the app starts?
>>>
>>> Daniel
>>>
>>
>>
>

Re: [flask] Secret_key

From:: Craig Younkins
Date:: 2011-12-12 @ 04:42

>
> "Is it potentially dangerous posting how I create my app.secret_key to
> github? Even if it's uniquely generated at the moment the app starts? "


If it is of sufficient length and randomly generated using urandom, or by
some other high quality source of entropy, then there is no risk of telling
others how you generate it. This is similar to instructions on how to
create encryption keys.

If it is not securely generated, then yes, it could be a security risk to
disclose the method.

Craig Younkins


On Sun, Dec 11, 2011 at 11:01 PM, Zach Williams <hey@zachwill.com> wrote:

> Here's the Heroku article:
> http://devcenter.heroku.com/articles/config-vars
>
>     heroku config:add SECRET_KEY=production_secret
>
> Then in Python:
>
>     os.environ.get('SECRET_KEY', 'development_fallback')
>
> Hopefully that should work out for you.
>
> Zach
>
>
> On Sun, Dec 11, 2011 at 7:54 PM, dalan.miller@gmail.com <
> dalan.miller@gmail.com> wrote:
>
>> How would one set an environment variable?
>>
>> Having os.environ.get('DATABASE_URL') works while the app is in Heroku
>> but locally I don't have anything set?
>>
>> I'm finding it a little difficult to mitigate working locally and my app
>> in Heroku.
>>
>> Thank you for your help,
>>
>> Daniel
>>
>>
>> On Sun, Dec 11, 2011 at 7:49 PM, Zach Williams <hey@zachwill.com> wrote:
>>
>>> Most of my repositories show that I use os.urandom to generate the
>>> secret_key: http://flask.pocoo.org/docs/quickstart/#sessions
>>>
>>> I think it's fine, but none of my sites really need heavy security
>>> protection.
>>>
>>> Another idea might be setting it as an environment variable, if that
>>> helps?
>>>
>>> Zach
>>>
>>>
>>> On Sun, Dec 11, 2011 at 7:40 PM, dalan.miller@gmail.com <
>>> dalan.miller@gmail.com> wrote:
>>>
>>>> Is it potentially dangerous posting how I create my app.secret_key to
>>>> github? Even if it's uniquely generated at the moment the app starts?
>>>>
>>>> Daniel
>>>>
>>>
>>>
>>
>