Are the hardcoded keys, tokens, and certificates a security risk?

[Dan1ell]

About the various private keys, tokens, and certificates:

deploy/local_install/mediacms.io_privkey.pem
deploy/local_install/mediacms.io_fullchain.pem
deploy/docker/reverse_proxy/certs/localhost.crt
deploy/docker/reverse_proxy/certs/localhost.key
cms/settings.py: ADMIN_TOKEN
cms/settings.py: SECRET_KEY

Shouldn’t these be different for everyone?

[swiftugandan]

Yes they are, if it is a public server. In my opinion, all the deployment settings we have in local or docker install are examples, and the user is encouraged to inspect them and customize them to suit their needs.

May be some caution tips should be added to the docs too

[Dan1ell]

Right, mine will be a public server.
Could you write for us how to regenerate these after installation, so that they are unique to our installation?

And of course, to prevent our unique versions from being overwritten during MediaCMS updates, they would have to be added to .gitignore.

[mgogoulos]

• cms/settings.py: ADMIN_TOKEN : you can ignore this. As the comment suggests, this is experimental, and has to do with remote encoders, which is not commited to the main branch
• pem/crt/key files, they act as default certificates, need be replaced with ones you produce, otherwise SSL will complain.

Assuming you run a local installation through install.sh script, the installation has created a random SECRET_KEY and it's added to cms/local_settings.py file. You don't have to do anything now, the file won't be overwritten upon restarts, git updates etc.

Assuming you run the docker compose installation, you may want to edit deploy/docker/local_settings.py and set a new SECRET_KEY . As stated on https://docs.djangoproject.com/en/3.1/ref/settings/#secret-key, this "should be set to a unique, unpredictable value.". So it should be ok if you replace the existing one with a string of random characters.

There is an issue to handle this (set a random value on the docker compose installation, for SECRET_KEY) so it's a known issue, and yes this could be handled from the developers/administrators documentation once it's released