diff --git a/docker/.env b/docker/.env
index b9d7625f..161796e6 100644
--- a/docker/.env
+++ b/docker/.env
@@ -38,7 +38,7 @@ PUSHOVER_SUBSCRIPTION_URL=
REGISTRATION_OPEN=True
REMOTE_USER_HEADER=
RP_ID=
-SECRET_KEY=
+SECRET_KEY=---
SHELL_ENABLED=False
SIGNAL_CLI_ENABLED=False
SITE_NAME=Mychecks
diff --git a/hc/front/templatetags/hc_extras.py b/hc/front/templatetags/hc_extras.py
index c440627b..145f825c 100644
--- a/hc/front/templatetags/hc_extras.py
+++ b/hc/front/templatetags/hc_extras.py
@@ -70,6 +70,15 @@ def debug_warning():
"""
)
+ if settings.SECRET_KEY == "---":
+ return mark_safe(
+ """
+
+ Running with an insecure SECRET_KEY value, do not use in production.
+
+ """
+ )
+
return ""
diff --git a/hc/front/tests/test_basics.py b/hc/front/tests/test_basics.py
index fd3cbbaf..c1d20f74 100644
--- a/hc/front/tests/test_basics.py
+++ b/hc/front/tests/test_basics.py
@@ -3,15 +3,22 @@ from django.test.utils import override_settings
class BasicsTestCase(TestCase):
+ @override_settings(DEBUG=False, SECRET_KEY="abc")
def test_it_shows_welcome(self):
r = self.client.get("/")
self.assertContains(r, "Get Notified", status_code=200)
self.assertNotContains(r, "do not use in production")
- @override_settings(DEBUG=True)
+ @override_settings(DEBUG=True, SECRET_KEY="abc")
def test_it_shows_debug_warning(self):
r = self.client.get("/")
- self.assertContains(r, "do not use in production")
+ self.assertContains(r, "Running in debug mode")
+
+ @override_settings(DEBUG=False, SECRET_KEY="---")
+ def test_it_shows_secret_key_warning(self):
+ r = self.client.get("/")
+ self.assertContains(r, "Get Notified", status_code=200)
+ self.assertContains(r, "Running with an insecure SECRET_KEY value")
@override_settings(REGISTRATION_OPEN=False)
def test_it_obeys_registration_open(self):
diff --git a/hc/settings.py b/hc/settings.py
index 94fae727..a8427596 100644
--- a/hc/settings.py
+++ b/hc/settings.py
@@ -26,7 +26,7 @@ def envint(s, default):
return int(v)
-SECRET_KEY = os.getenv("SECRET_KEY", "")
+SECRET_KEY = os.getenv("SECRET_KEY", "---")
METRICS_KEY = os.getenv("METRICS_KEY")
DEBUG = envbool("DEBUG", "True")
ALLOWED_HOSTS = os.getenv("ALLOWED_HOSTS", "*").split(",")
diff --git a/templates/docs/self_hosted_configuration.html b/templates/docs/self_hosted_configuration.html
index 8c72d3e4..b7f78507 100644
--- a/templates/docs/self_hosted_configuration.html
+++ b/templates/docs/self_hosted_configuration.html
@@ -230,8 +230,9 @@ if your site runs on https://my-hc.example.org
, set RP_IDrunsslserver
command
from the django-sslserver
package.
SECRET_KEY
-Default: ""
(empty string)
-A secret key used for cryptographic signing.
+Default: ---
+A secret key used for cryptographic signing, and should be set to a unique,
+unpredictable value.
This is a standard Django setting, read more in
Django documentation.
SHELL_ENABLED
diff --git a/templates/docs/self_hosted_configuration.md b/templates/docs/self_hosted_configuration.md
index 9f58089c..b2f2b71e 100644
--- a/templates/docs/self_hosted_configuration.md
+++ b/templates/docs/self_hosted_configuration.md
@@ -370,9 +370,10 @@ from the `django-sslserver` package.
## `SECRET_KEY` {: #SECRET_KEY }
-Default: `""` (empty string)
+Default: `---`
-A secret key used for cryptographic signing.
+A secret key used for cryptographic signing, and should be set to a unique,
+unpredictable value.
This is a standard Django setting, read more in
[Django documentation](https://docs.djangoproject.com/en/3.1/ref/settings/#secret-key).