What is Django's SECRET_KEY?
Django's SECRET_KEY is used to sign cryptographic hashes for sessions, CSRF tokens, password reset links, and any value you pass through Django's signing framework. A weak or compromised key can allow attackers to forge any of these values.
Django requires the key to be at least 50 characters long, drawn from letters, digits, and a safe set of symbols: !@#$%^&*(-_=+). This tool uses exactly that charset — identical to Django's built-in get_random_secret_key().
How to add it to your project
- Copy the generated key and paste it into your
.env:SECRET_KEY=<paste here> - Load it in
settings.pyusingpython-decoupleordjango-environ:import environ env = environ.Env() SECRET_KEY = env("SECRET_KEY") - Never hardcode
SECRET_KEYinsettings.pyand never commit the.envfile.
Rotating the key
Rotating SECRET_KEY invalidates all existing sessions, password-reset links, and CSRF tokens immediately. Plan a maintenance window or use Django's SECRET_KEY_FALLBACKS (Django 4.1+) to support both old and new keys during a transition period.