Remove hardcoded Flask secret_key fallback ("fullmoonbakehouse") #1

Open
opened 2026-06-06 19:58:09 +00:00 by tonym · 0 comments

Severity: critical
Category: security
Location: app.py:29

Problem

app.secret_key falls back to a public literal string if SECRET_KEY is unset, so session cookies can be forged. Easy to skip on a fresh deploy.

Suggested fix

Use app.secret_key = os.environ["SECRET_KEY"] so the app refuses to start without one. Add SECRET_KEY to .env / .env.example.

Filed by automated code review.

**Severity:** critical **Category:** security **Location:** `app.py:29` ### Problem `app.secret_key` falls back to a public literal string if SECRET_KEY is unset, so session cookies can be forged. Easy to skip on a fresh deploy. ### Suggested fix Use `app.secret_key = os.environ["SECRET_KEY"]` so the app refuses to start without one. Add SECRET_KEY to .env / .env.example. _Filed by automated code review._
tonym added the
security
severity:critical
labels 2026-06-06 19:58:09 +00:00
Sign in to join this conversation.
1 Participants
Notifications
Due Date
No due date set.
Dependencies

No dependencies set.

Reference: bonna61/Moon-Household-Budget#1
No description provided.