Stuck on an issue?
Lightrun Answers was designed to reduce the constant googling that comes with debugging 3rd party libraries. It collects links to all the places you might be looking at while hunting down a tough bug.
And, if you’re still stuck at the end, we’re happy to hop on a call to see how we can help out.
Configuration should be 'secure by default'
See original GitHub issueAll security libs should be secure by default. Flask-security is not. This prevents flask-security from being run ‘off the shelf’.
SECURITY_PASSWORD_HASH is plaintext by default. This should default to perhaps bcrypt.
SECURITY_PASSWORD_SALT is None by default. This should be set to a valid default. Although that would mean a common salt between any vanilla installs, any salt is better than None.
Issue Analytics
- State:
- Created 9 years ago
- Comments:5 (1 by maintainers)
Top Results From Across the Web
Default Settings, and Why the Initial Configuration is not the ...
Default Settings, and Why the Initial Configuration is not the Most Secure ... It's true that it's easiest and most convenient to start...
Read more >Secure by Default - NCSC.GOV.UK
Secure by Default covers the long-term technical effort to ensure that the right security primitives are built in to software and hardware. It...
Read more >Default Configuration - an overview | ScienceDirect Topics
According to the principle of default configuration, controls should default to the most secure condition. Modifications to the strength of a control should ......
Read more >Security by Default: 5 Principles for Building More Secure Apps
Principle Two: Secure Configurations by Default Relying on the end-user to make an app secure is, in essence, shipping insecure software. After ...
Read more >Cyber Essentials Controls: Secure Configuration
It's easier and more convenient to use new devices or software with their default settings, but it's not the most secure. Accepting the...
Read more >
Top Related Medium Post
No results found
Top Related StackOverflow Question
No results found
Troubleshoot Live Code
Lightrun enables developers to add logs, metrics and snapshots to live code - no restarts or redeploys required.
Start Free
Top Related Reddit Thread
No results found
Top Related Hackernoon Post
No results found
Top Related Tweet
No results found
Top Related Dev.to Post
No results found
Top Related Hashnode Post
No results found
A default has already been chosen. And that default is the least secure of plausible options. I think it should be changed.
@adamlwgriffiths I too am surprised by this default behavior and I believe that it should be changed.
@mattupstate I believe that currently a decision is made on the encryption algorithm default, and that is to use the least secure one possible. What if the default was set to ‘bcrypt’, and a warning logged if the
SECURITY_PASSWORD_SALTkey is not set in app.config?I believe this would both improve the out-of-box security of Flask-Security (and the flask ecosystem as a whole!), and ensure that everyone makes a decision on the encryption algorithm.
@adamlwgriffiths Your hearts in the right place and I agree with you, but necro-posting like this is not constructive. I highly encourage you to submit a pull request that takes into account the feedback provided in this thread 1.5 years ago.