Why hide a django secret key?-CodePudding

I wanted to ask, why should I hide the secret key in a Django application? Why not just commit it to public source control? I understand the effects of an attacker finding out the secret key (from here). But if I just upload the code to github and ask people to download it, run python manage.py runserver and go to 127.0.0.1:8000, I don't need to hide it, right? Don't those effects of revealing the secret key apply for when you run the code on your device using your device as a server, and have them visit it at a public URL? If they're running it on their own device, that doesn't pose a security risk to me, right? I read that knowing the secret key can allow them to bypass form validations, etc. But they would just be messing up the db of their own local installation of the app so why should I care?

CodePudding user response：

As you can see from the docs here: https://docs.gitguardian.com/secrets-detection/detectors/specifics/django_secret_key

The secret key is used to encrypt communication in a Django project and as with any secret key used in cryptography, the secret key, if exposed, can and will be used to break any encryption in the project (mind you, even if you personally have not implemented encryption, Django uses that in many locations such as password, sessions, etc.).

Therefore if your key is exposed in let's say in the source code in a public repo, anyone can break the encryption and get data that they might not be authorised for.

CodePudding user response：

If it's just application run on local machine I don't see reason to hide it, just make sure that user downloading your repo knows that SECRET_KEY is public, because if that person wants for some reason to have it publicly accessible it would pose risk to them. Best thing to do is not to set SECRET_KEY at all, so when user wants to run your app they will have to set their own secret

CodePudding user response：

The Django secret key gets used for things like session management, signing data and password hashing. It's best practice to hide these sorts of keys, just in case.