Do you ever want to know how the SECRET_KEY works? It’s sitting in your settings.py file but do you ever wonder why you need it? If you look at the documentation, you’ll discover some very interesting things about the SECRET_KEY setting.

In the Cryptographic signing section of the Django docs, it says:

You may also find signing useful for the following:

Generating “recover my account” URLs for sending to users who have lost their password.

Ensuring data stored in hidden form fields has not been tampered with.

Generating one-time secret URLs for allowing temporary access to a protected resource, for example a downloadable file that a user has paid for.

And I’m going to add one more thing to this list: Signing cookies so that you know that your users’ cookies are not being tampered by a hacker.

How can you use the SECRET_KEY to determine if data has been tampered?

The first thing you need to do is sign your data.

1 2 3 4 5 from django.core.signing import Signer signer = Signer() value = signer . sign( "My secret data" ) value

Now, your signed data is saved in the value variable. How do you make sure that your data hasn’t been tampered with?

1 2 3 4 5 6 7 from django.core import signing value += 'd' try : original = signer . unsign(value) except signing . BadSignature: print ( "Tampering detected!" )

If the value is different, the unsign function will throw a BadSignature exception. The Signer class uses the setting.SECRET_KEY to create the hash of the signed data.