After taking a look through the repo, I can see that the same “secret key” value is being hardcoded in the following places:
sample.envtravis.ymlappveyor.ymlci.yml
After taking a look at the site settings in heroku, I can confirm that the key found in the files above are not the secret key used in production.
However, we should update this "default" secret key value to something that is a little less confusing.
Something along the lines of:
SECRET_KEY=mydummykey # Only for testing purposes, do not use in production
From Stakeholders: “…we received a security report related to https://github.com/mozilla/network-pulse-api. The security report mentions hard coded secret keys in the repo.”
After taking a look through the repo, I can see that the same “secret key” value is being hardcoded in the following places: sample.env travis.yml appveyor.yml ci.yml
After taking a look at the site settings in heroku, I can confirm that the key found in the files above are not the secret key used in production.
However, we should update this "default" secret key value to something that is a little less confusing.
Something along the lines of:
should work.