揭秘烧瓶app.secret_key [英] demystify Flask app.secret_key

问题描述

如果未设置 app.secret_key ，则Flask框架将不允许您设置或访问会话字典。这是烧瓶用户指南必须就此问题所说的一切。

我对网络开发非常陌生，我不知道如何/为什么有什么安全措施。我想了解一下烧瓶正在做什么。
为什么瓶子强迫我们设置这个secret_key属性？烧瓶如何使用secret_key属性？

解决方案

任何需要加密的东西（为了防止攻击者的篡改）需要设置密钥。对于 Flask本身，任何都是 Session 对象，但其他扩展可以使用相同的秘密。 b
$ b

secret_key 仅仅是为 SECRET_KEY 配置键设置的值，或者您可以直接设置。

会话在快速入门部分有一个好的，理智的建议，你应该设置什么样的服务器端的秘密。

加密依赖于秘密;如果你没有设置服务器端的加密秘密，每个人都可以打破你的加密;这就像你的电脑的密码。秘密加数据签名用于创建一个签名字符串，一个难以重新创建的值使用加密哈希算法;只有当您拥有完全相同的密码和时，您才能重新创建此值，让Flask检测是否有任何内容未经许可而被更改。由于Flask发送给客户端的数据永远不会包含秘密，因此客户端不能篡改会话数据，并希望产生新的有效签名。

Flask使用 itsdangerous 图书馆做所有的辛勤工作;会话使用 itsdangerous.URLSafeTimedSerializer 类使用定制的JSON序列化程序。

If app.secret_key is not set, the Flask framework will not allow you to set or access the session dictionary. This is all that the flask user guide has to say on the subject.

I am very new to web development and I have no idea how/why any security stuff works. I would like to understand what flask is doing under the hood. Why does flask force us to set this secret_key property? How does flask use the secret_key property?

解决方案

Anything that requires encryption (for safe-keeping against tampering by attackers) requires the secret key to be set. For just Flask itself, that 'anything' is the Session object, but other extensions can make use of the same secret.

secret_key is merely the value set for the SECRET_KEY configuration key, or you can set it directly.

The Sessions section in the Quickstart has good, sane advice on what kind of server-side secret you should set.

Encryption relies on secrets; if you didn't set a server-side secret for the encryption to use, everyone would be able to break your encryption; it's like the password to your computer. The secret plus the data-to-sign are used to create a signature string, a hard-to-recreate value using a cryptographic hashing algorithm; only if you have the exact same secret and the original data can you recreate this value, letting Flask detect if anything has been altered without permission. Since the secret is never included with data Flask sends to the client, a client cannot tamper with session data and hope to produce a new, valid signature.

Flask uses the itsdangerous library to do all the hard work; sessions use the itsdangerous.URLSafeTimedSerializer class with a customized JSON serializer.

这篇关于揭秘烧瓶app.secret_key的文章就介绍到这了，希望我们推荐的答案对大家有所帮助，也希望大家多多支持IT屋！