bisco/webfortilog
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

Harden secret key configuration

Browse Source
This commit is contained in:
Alfredo Di Stasio
2026-04-27 14:23:13 +02:00
parent 846a22c047
commit 41c63980f0
5 changed files with 163 additions and 5 deletions
Download Patch File Download Diff File Expand all files Collapse all files

29
README.md
View File

@@ -42,6 +42,7 @@ pip install -e ".[dev]"
```bash
export FLASK_APP=wsgi.py
export APP_ENV=development
export MAX_UPLOAD_SIZE_MB=100
flask run --debug
```
@@ -73,7 +74,7 @@ docker build -t webfortilog .
### Run
```bash
docker run --rm -p 8000:8000 -e MAX_UPLOAD_SIZE_MB=100 webfortilog
docker run --rm -p 8000:8000 -e APP_ENV=development -e MAX_UPLOAD_SIZE_MB=100 webfortilog
```
Open `http://127.0.0.1:8000`.
@@ -89,12 +90,16 @@ docker compose up --build web
Compose settings are stored in `env`. Update that file to change values such as:
- `SECRET_KEY`
- `APP_ENV`
- `MAX_UPLOAD_SIZE_MB`
- `OUTPUT_DIRECTORY`
- `OUTPUT_RETENTION_HOURS`
- `CLEANUP_ON_STARTUP`
- `CLEANUP_AFTER_DOWNLOAD`
For local Docker Compose usage, `APP_ENV=development` allows an internal development-only fallback secret key.
For production-like environments, set a strong `SECRET_KEY` explicitly.
### Run the test suite in a container
```bash
@@ -137,6 +142,28 @@ curl -X POST http://127.0.0.1:5000/convert \
- Default upload limit is 100 MiB
- Set `MAX_UPLOAD_SIZE_MB` to configure the upload limit in megabytes
- `MAX_CONTENT_LENGTH` is also supported as a lower-level byte-based override
- `SECRET_KEY` is required in production-like environments and must not use placeholder values such as `change-me`
- Development-only fallback secret key behavior is enabled only when `APP_ENV=development` or `FLASK_ENV=development`
- `OUTPUT_RETENTION_HOURS` controls how long generated output files are kept
- `CLEANUP_ON_STARTUP=true` removes expired generated files when the app starts
- `CLEANUP_AFTER_DOWNLOAD=true` deletes a result only after the response finishes sending
## Secure configuration example
### Production-like environment
```bash
python3 - <<'PY'
import secrets
print(secrets.token_urlsafe(48))
PY
```
Use the generated value as `SECRET_KEY`, for example:
```bash
docker run --rm -p 8000:8000 \
-e SECRET_KEY='replace-with-a-long-random-secret' \
-e MAX_UPLOAD_SIZE_MB=100 \
webfortilog
```