diff options
| author | Pieter Ennes <pieter@ennes.nl> | 2018-05-22 11:17:16 +0100 |
|---|---|---|
| committer | GitHub <noreply@github.com> | 2018-05-22 11:17:16 +0100 |
| commit | f853295b674cb2be0b83f72f71739a7a23f5936e (patch) | |
| tree | ae80818cc993283a0361caf564b5a373253aed48 /docs/oauth1 | |
| parent | 979b1728b836da4e72919451ae9c684be90e822d (diff) | |
| parent | 5c76855eac8ba002289fa53e6ae82f00a64d0d9f (diff) | |
| download | oauthlib-2.x.tar.gz | |
Release 2.1.0
Diffstat (limited to 'docs/oauth1')
| -rw-r--r-- | docs/oauth1/security.rst | 12 |
1 files changed, 7 insertions, 5 deletions
diff --git a/docs/oauth1/security.rst b/docs/oauth1/security.rst index a1432a9..df1e2a0 100644 --- a/docs/oauth1/security.rst +++ b/docs/oauth1/security.rst @@ -16,11 +16,13 @@ A few important facts regarding OAuth security * **Tokens must be random**, OAuthLib provides a method for generating secure tokens and it's packed into ``oauthlib.common.generate_token``, - use it. If you decide to roll your own, use ``random.SystemRandom`` - which is based on ``os.urandom`` rather than the default ``random`` - based on the effecient but not truly random Mersenne Twister. - Predictable tokens allow attackers to bypass virtually all defences - OAuth provides. + use it. If you decide to roll your own, use ``secrets.SystemRandom`` + for Python 3.6 and later. The ``secrets`` module is designed for + generating cryptographically strong random numbers. For earlier versions + of Python, use ``random.SystemRandom`` which is based on ``os.urandom`` + rather than the default ``random`` based on the effecient but not truly + random Mersenne Twister. Predictable tokens allow attackers to bypass + virtually all defences OAuth provides. * **Timing attacks are real** and more than possible if you host your application inside a shared datacenter. Ensure all ``validate_`` methods |