From 84c00fa5ba46464fb62c030fa0de5362fbc84cf8 Mon Sep 17 00:00:00 2001
From: David Larlet <david@larlet.fr>
Date: Tue, 19 Sep 2023 14:52:57 -0400
Subject: [PATCH] Better documentation for the SECRET_KEY setting

See https://github.com/umap-project/umap/pull/1322#issuecomment-1726300269
---
 docs/settings.md | 5 +++++
 1 file changed, 5 insertions(+)

diff --git a/docs/settings.md b/docs/settings.md
index ba08de12..08b6a90f 100644
--- a/docs/settings.md
+++ b/docs/settings.md
@@ -63,6 +63,11 @@ See [Django documentation for MEDIA_ROOT](https://docs.djangoproject.com/en/4.2/
 
 Must be defined to something unique and secret.
 
+Running uMap / Django with a known SECRET_KEY defeats many of Django’s security protections, and can lead to privilege escalation and remote code execution vulnerabilities.
+
+See [Django documentation for SECRET_KEY](https://docs.djangoproject.com/en/4.2/ref/settings/#secret-key)
+
+
 #### SITE_URL
 
 The final URL of you instance, including the protocol: