Are Django SECRET_KEY's per instance or per app?
Question:
This question asks about the purpose of the Django SECRET_KEY value. One of the answers to that question stated “It needs to have a cryptographically strong amount of entopy(sp) (hard for computers to guess) and unique between all Django instances.”
This is a bit ambiguous: if I say for example have a single Django application deployed to multiple web servers behind a load balancer, should each have it’s own distinct SECRET_KEY, or should the SECRET_KEY be shared amongst all instances?
Answers:
For the same Django application you should use the same secret key to ensure that the same client can properly use the service if the load balancer redirects his/her traffic mid session. Otherwise, surely undefined behavior will arise. More specifically, all these things would break:
- sessions, the data decode will break, that is valid for any session backend (cookies, database, file based or cache).
- password reset token already sent won’t work, users will have to ask a new one.
- comments form (if using django.contrib.comments) will not validate if it was requested before the value change and submitted after the value change. I think this is very minor but might be confusing for the user.
- messages (from django.contrib.messages) won’t validate server-side in the same timing conditions as for comments form.
source. As a side note, I completely agree that the secret_key aspect of Django feels dangerous and mystic, despite it being very explainable, and is not treated by the documentation with any sort of clarity.
This question asks about the purpose of the Django SECRET_KEY value. One of the answers to that question stated “It needs to have a cryptographically strong amount of entopy(sp) (hard for computers to guess) and unique between all Django instances.”
This is a bit ambiguous: if I say for example have a single Django application deployed to multiple web servers behind a load balancer, should each have it’s own distinct SECRET_KEY, or should the SECRET_KEY be shared amongst all instances?
For the same Django application you should use the same secret key to ensure that the same client can properly use the service if the load balancer redirects his/her traffic mid session. Otherwise, surely undefined behavior will arise. More specifically, all these things would break:
- sessions, the data decode will break, that is valid for any session backend (cookies, database, file based or cache).
- password reset token already sent won’t work, users will have to ask a new one.
- comments form (if using django.contrib.comments) will not validate if it was requested before the value change and submitted after the value change. I think this is very minor but might be confusing for the user.
- messages (from django.contrib.messages) won’t validate server-side in the same timing conditions as for comments form.
source. As a side note, I completely agree that the secret_key aspect of Django feels dangerous and mystic, despite it being very explainable, and is not treated by the documentation with any sort of clarity.