what is SECRET_KEY_BASE actually good for?

[smiklosovic]

Hi,

I am not sure what the secret is good for, it seems like I have to set up non-trivial software / dependencies (Erlang OTP, Phoenix, mix etc) just to execute one command to get that secret (based on the documentation).

Is this a security thing if this secret is exposed to public?

[ukutaht]

I am not sure what the secret is good for, it seems like I have to set up non-trivial software / dependencies (Erlang OTP, Phoenix, mix etc) just to execute one command to get that secret (based on the documentation).

Not really, any random string should work for this purpose.

The secret key base is used to encrypt the session cookie and signed tokens like the password reset token. If every instance of Plausible used the same secret key base, it would be trivial to create a fake a password reset token and take over somebodys account on a different instance.