justincorrigible
commented
3 years ago Deployed to lab, and ready to test. I've generated new secrets for each individual environment, and put them in the .env file (which external actors don't have access to). Of note, internally, most of the items in the list given by Django seem to instead rely on a secret key generated by django.utils.crypt.get_random_string() .
For impacts, see this link https://stackoverflow.com/a/15383766. Seems nothing that would affect our users at all as:
- the backend sessions are created upon deployment
- we don't offer password resets yet
- we don't offer "comments"
- we don't offer "messages"
Got this email from some stranger. I didn't click on the link he sent, but went directly to Github for the file. https://github.com/overture-stack/enrolment/blob/develop/enrolment-service/enrol/enrol/settings.py
The secret is indeed exposed!
Christina