Django's SECRET_KEY
is the setting used as the basis for secret generation and signing. It's used to generate session keys, password reset tokens and any other text signing done by Django.
For the safety and security of a Django application, this must be kept as secret as possible. Exposure of this key compromises many of the security protections Django puts in place.
There are a number of key generators out there, including miniwebtool and djecrety.
Previously I used and recommended miniwebtool, however they recently added a number of intrusive adverts and cookie policies which make it annoying to use and difficult to recommend. Djecrety is nicer, however the site is far more complex, and doesn't share a codepath with the package it recommends (with the same name).
Instead, I've decided to write another, which is much simpler, generates tokens more securely, and thus is easier to use and recommend.
I've intentionally copied the implementation from Django as closely as possible (whilst converting it to Typescript). Django's keys are 50 characters by default, however ours range between 50 and 60 (ramdomly, of course). The set of possible characters is also the same as Django's.
Secrets are generated solely in-browser, using the WebCrypto
API, and in a way which doesn't introduce modulo bias. A single random value is generated, and used as an index into the possible characters. This is then repeated as many times as characters are needed for the key. Each chosen characters is then concatenated together to form the final key.
Probably. Django's startproject
command does generate a secret key for you in a secure way for your newly created Django project. But it's good practice to have a different key for each environment, whether that be development, staging or production. Therefore, there's a need to generate one after a project has been setup, when you're creating a new environment or starting a project from something other than startproject
.
Of course! If you spot a problem or can do something better, please open an issue or PR.
The site is hosted using GitHub pages, so the entire supply chain from repository to hosting can be reviewed and audited.