[ https://issues.apache.org/jira/browse/AIRFLOW-2886?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=17241881#comment-17241881 ]
ASF subversion and git services commented on AIRFLOW-2886: ---------------------------------------------------------- Commit d306115a65cb4cd3f69414a8527e463526c70efe in airflow's branch refs/heads/v1-10-test from Xiaodong Deng [ https://gitbox.apache.org/repos/asf?p=airflow.git;h=d306115 ] [AIRFLOW-2886] Generate random Flask SECRET_KEY in default config (#3738) The Flask SECRET_KEY should be as random as possible. On the other hand, we can nott genrate random value when we launch the webserver (the secret_key will be inconsistent across the workers). We can generate a random one in the configuration file airflow.cfg, just like how we deal with FERNET_KEY. The SECRET_KEY is generated using os.urandom, as recommended by Flask community. (cherry picked from commit f7602f8266559e55bc602a9639e3e1ab640f30e8) > Secure Flask SECRET_KEY > ----------------------- > > Key: AIRFLOW-2886 > URL: https://issues.apache.org/jira/browse/AIRFLOW-2886 > Project: Apache Airflow > Issue Type: Bug > Reporter: Xiaodong Deng > Assignee: Xiaodong Deng > Priority: Critical > Fix For: 2.0.0 > > > In my earlier PRs, [https://github.com/apache/incubator-airflow/pull/3651] > and [https://github.com/apache/incubator-airflow/pull/3729] , I proposed to > generate random SECRET_KEY for Flask App. > If we have multiple workers for the Flask webserver, we may encounter CSRF > error {{The CSRF session token is missing}} . > On the other hand, it's still very important to have as random SECRET_KEY as > possible for security reasons. We can deal with it like how we dealt with > FERNET_KEY (i.e. generate a random value when the airflow.cfg file is > initiated). -- This message was sent by Atlassian Jira (v8.3.4#803005)