include::../../../shared_content/secrets/description.adoc[]

== Why is this an issue?

include::../../../shared_content/secrets/rationale.adoc[]

=== What is the potential impact?

If a Flask secret key leaks to an unintended audience, it can have serious
security implications for the corresponding application. The secret key is used
to sign cookies and other sensitive data so that an attacker could potentially
use it to perform malicious actions.

For example, an attacker could use the secret key to create their own cookies
that appear to be legitimate, allowing them to bypass authentication and gain
access to sensitive data or functionality.

In the worst-case scenario, an attacker could be able to execute arbitrary code
on the application and take over its hosting server.

== How to fix it

include::../../../shared_content/secrets/fix/revoke.adoc[]

In Flask, changing the secret value is sufficient to invalidate any data that
it protected.

include::../../../shared_content/secrets/fix/vault.adoc[]

=== Code examples

==== Noncompliant code example

[source,python,diff-id=1,diff-type=noncompliant,subs="attributes"]
----
from flask import Flask

app = Flask(__name__)
app.config['SECRET_KEY'] = "secret"  # Noncompliant
----

==== Compliant solution

[source,python,diff-id=1,diff-type=compliant,subs="attributes"]
----
from flask import Flask
import os

app = Flask(__name__)
app.config['SECRET_KEY'] = os.environ["SECRET_KEY"]
----


//=== How does this work?

//=== Pitfalls

//=== Going the extra mile

== Resources

include::../../../shared_content/secrets/resources/standards.adoc[]

=== Documentation

* Flask documentation - https://flask.palletsprojects.com/en/2.3.x/config/#SECRET_KEY[Config - SECRET_KEY]

//=== Benchmarks