Opened 5 years ago

Closed 5 years ago

#20227 closed Uncategorized (wontfix)

Accept an empty SECRET_KEY when DEBUG is True

Reported by: Luc Saffre Owned by: nobody
Component: Uncategorized Version: 1.5
Severity: Normal Keywords:
Cc: Triage Stage: Unreviewed
Has patch: no Needs documentation: no
Needs tests: no Patch needs improvement: no
Easy pickings: no UI/UX: no


Django should accept an empty SECRET_KEY when DEBUG is True. Okay Django 1.5 is more severe about security leaks and it's okay to say that a SECRET_KEY setting is required (, but when DEBUG is True Django shouldn't be so nit-picky.

Change History (3)

comment:1 Changed 5 years ago by Aymeric Augustin

This proposal assumes that no one will run a Django website in production with DEBUG = True.

Unfortunately, I'm afraid this isn't a valid assumption.

comment:2 Changed 5 years ago by Baptiste Mispelon

I'm -1 on this idea too:

  • It's one more thing that can break when changing DEBUG from True to False.
  • startproject will anyway generate a good SECRET_KEY for you, so you get a fully functional settings file out of the box (especially with the new project template).
  • Even if you try to use an empty secret key, django will give you an error message with instructions on how to fix it.

comment:3 Changed 5 years ago by Aymeric Augustin

Resolution: wontfix
Status: newclosed
Note: See TracTickets for help on using tickets.
Back to Top