Remove hardcoded Flask secret_key fallback ("fullmoonbakehouse") #1
Reference in New Issue
Block a user
No description provided.
Delete Branch "%!s()"
Deleting a branch is permanent. Although the deleted branch may continue to exist for a short time before it actually gets removed, it CANNOT be undone in most cases. Continue?
Severity: critical
Category: security
Location:
app.py:29Problem
app.secret_keyfalls back to a public literal string if SECRET_KEY is unset, so session cookies can be forged. Easy to skip on a fresh deploy.Suggested fix
Use
app.secret_key = os.environ["SECRET_KEY"]so the app refuses to start without one. Add SECRET_KEY to .env / .env.example.Filed by automated code review.