揭秘 Flask app.secret_key [英] demystify Flask app.secret_key
问题描述
如果 app.secret_key
未设置,Flask 将不允许您设置或访问会话字典.
If app.secret_key
isn't set, Flask will not allow you to set or access the session dictionary.
这就是 flask 用户指南在主题.
This is all that the flask user guide has to say on the subject.
我对 Web 开发非常陌生,我不知道任何安全性的东西是如何/为什么起作用的.我想了解 Flask 在幕后做了什么.
I am very new to web development and I have no idea how/why any security stuff works. I would like to understand what Flask is doing under the hood.
- 为什么 Flask 强制我们设置这个
secret_key
属性? - Flask 如何使用
secret_key
属性?
- Why does Flask force us to set this
secret_key
property? - How does Flask use the
secret_key
property?
推荐答案
任何需要加密(以防止攻击者篡改)的内容都需要设置密钥.对于只是 Flask 本身,任何东西"都是 Session
对象,但其他扩展可以使用相同的秘密.
Anything that requires encryption (for safe-keeping against tampering by attackers) requires the secret key to be set. For just Flask itself, that 'anything' is the Session
object, but other extensions can make use of the same secret.
secret_key
只是为SECRET_KEY
配置键设置的值,也可以直接设置.
secret_key
is merely the value set for the SECRET_KEY
configuration key, or you can set it directly.
快速入门中的会话部分 有关于什么样的您应该设置的服务器端机密.
The Sessions section in the Quickstart has good, sane advice on what kind of server-side secret you should set.
加密依赖于秘密;如果您没有为要使用的加密设置服务器端机密,那么每个人都可以破解您的加密;它就像你电脑的密码.秘密加上要签名的数据用于创建签名字符串,这是一个难以使用 密码散列算法;只有当您拥有完全相同的秘密和原始数据时,您才能重新创建此值,让 Flask 检测是否有任何内容未经许可被更改.由于 Flask 发送给客户端的数据中永远不会包含机密,因此客户端无法篡改会话数据并希望生成新的有效签名.
Encryption relies on secrets; if you didn't set a server-side secret for the encryption to use, everyone would be able to break your encryption; it's like the password to your computer. The secret plus the data-to-sign are used to create a signature string, a hard-to-recreate value using a cryptographic hashing algorithm; only if you have the exact same secret and the original data can you recreate this value, letting Flask detect if anything has been altered without permission. Since the secret is never included with data Flask sends to the client, a client cannot tamper with session data and hope to produce a new, valid signature.
Flask 使用 itsdangerous
库 来完成所有繁重的工作;会话使用 itsdangerous.URLSafeTimedSerializer
类自定义 JSON 序列化器.
Flask uses the itsdangerous
library to do all the hard work; sessions use the itsdangerous.URLSafeTimedSerializer
class with a customized JSON serializer.
这篇关于揭秘 Flask app.secret_key的文章就介绍到这了,希望我们推荐的答案对大家有所帮助,也希望大家多多支持IT屋!