Menu
What is the maximum secret key size that can be used in python flask applications? All of the examples I've seen online, including http://flask.pocoo.org/docs/0.12/quickstart/#sessions seem to recommend using 192 bit keys but I'm wondering if it's possible to use a 256 bit key.
439
asked Oct 24 '25 16:10
Flask employs itsdangerous.Signer to do session data signing, the key used in signing is not the one you provided with SECRET_KEY config option but is derived with an HKDF.
By default, Flask uses HMAC-SHA1 as HKDF algorithm, you only get 160-bits signing key, the length of SECRET_KEY makes no difference. In order to get 256 bits session signing key, you could extend flask.sessions.SecureCookieSessionInterface, change digest_method to SHA256, of course, you still need a lengthy random SECRET_KEY for enough entropy.
127
If you love us? You can donate to us via Paypal or buy me a coffee so we can maintain and grow! Thank you!
Donate Us With
