Do you ever want to know how the SECRET_KEY works? It’s sitting in your settings.py file but do you ever wonder why you need it? If you look at the documentation, you’ll discover some very interesting things about the SECRET_KEY setting.
You may also find signing useful for the following:
- Generating “recover my account” URLs for sending to users who have lost their password.
- Ensuring data stored in hidden form fields has not been tampered with.
- Generating one-time secret URLs for allowing temporary access to a protected resource, for example a downloadable file that a user has paid for.
And I’m going to add one more thing to this list: Signing cookies so that you know that your users’ cookies are not being tampered by a hacker.
How can you use the SECRET_KEY to determine if data has been tampered?
The first thing you need to do is sign your data.
Now, your signed data is saved in the
value variable. How do you make sure that your data hasn’t been tampered with?
If the value is different, the
unsign function will throw a
BadSignature exception. The
Signer class uses the
setting.SECRET_KEY to create the hash of the signed data.
Next time you have data that you need to keep from being tampered remember the