Hardcoded framework SECRET_KEY (Flask/Django)
Part of Security, which counts for 30% of the overall score. When this check fires it deducts 15 points from that category, once per scan, no matter how many places it turns up.
What it detects
A Flask app.secret_key or Django SECRET_KEY is assigned a string literal, which signs session cookies and CSRF tokens and must not live in source control.
Why it matters
Flask's app.secret_key and Django's SECRET_KEY sign session cookies, CSRF tokens, and password-reset tokens. A hardcoded value lets anyone with the source forge those tokens, which can mean session hijacking or account takeover. Django's own generated projects ship an insecure placeholder key precisely so you replace it before deploying.
How to fix it
Load the key from the environment (os.environ['SECRET_KEY']) and refuse to start if it is missing. Generate a long random value per environment and keep it in your secret store, not the repo. Add the name to .env.example, and rotate the exposed key, accepting that it invalidates existing sessions and outstanding reset links.
The paid report includes a ready-to-paste prompt for your AI coding agent for every check it finds, pointed at the exact findings from your scan. See pricing
Does your repo trip this check?
Paste a GitHub URL or drop a project folder. Scans run in your browser and take seconds.
Scan your repo