Do you ever want to know how the SECRET_KEY works? It’s sitting in your settings.py file but do you ever wonder why you need it? If you look at the documentation, you’ll discover some very interesting things about the SECRET_KEY setting.
You may also find signing useful for the following:
- Generating “recover my account” URLs for sending to users who have lost their password.
- Ensuring data stored in hidden form fields has not been tampered with.
- Generating one-time secret URLs for allowing temporary access to a protected resource, for example a downloadable file that a user has paid for.
And I’m going to add one more thing to this list: Signing cookies so that you know that your users’ cookies are not being tampered by a hacker.
How can you use the SECRET_KEY to determine if data has been tampered?
The first thing you need to do is sign your data.
from django.core.signing import Signer signer = Signer() value = signer.sign("My secret data") value
Now, your signed data is saved in the
value variable. How do you make sure that your data hasn’t been tampered with?
from django.core import signing value += 'd' try: original = signer.unsign(value) except signing.BadSignature: print ("Tampering detected!")
If the value is different, the
unsign function will throw a
BadSignature exception. The
Signer class uses the
setting.SECRET_KEY to create the hash of the signed data.
Next time you have data that you need to keep from being tampered remember the
What do you do after the Official Django Tutorial?
Here's what you'll learn:
- Start writing tests
- Increase the size / complexity of the Polls application.
- Learn how to code in Django by reading the Django source code.
- Finding code snippets to use in your website by reading the code of other websites.
- Deploying on Heroku and AWS.