Cloudron makes it easy to run web apps like WordPress, Nextcloud, GitLab on your server. Find out more or install now.


Skip to content
  • Categories
  • Recent
  • Tags
  • Popular
  • Bookmarks
  • Search
Skins
  • Light
  • Brite
  • Cerulean
  • Cosmo
  • Flatly
  • Journal
  • Litera
  • Lumen
  • Lux
  • Materia
  • Minty
  • Morph
  • Pulse
  • Sandstone
  • Simplex
  • Sketchy
  • Spacelab
  • United
  • Yeti
  • Zephyr
  • Dark
  • Cyborg
  • Darkly
  • Quartz
  • Slate
  • Solar
  • Superhero
  • Vapor
  • Default (No Skin)
  • No Skin
Collapse
Brand Logo

Cloudron Forum
Apps - Status | Demo | Docs | Install
  1. Cloudron Forum
  2. Monica
  3. Monica key and salt

Monica key and salt

Scheduled Pinned Locked Moved Solved Monica
monica
3 Posts 3 Posters 1.9k Views 3 Watching
  • Oldest to Newest
  • Newest to Oldest
  • Most Votes
Reply
  • Reply as topic
Log in to reply
This topic has been deleted. Only users with topic management privileges can see it.
  • U Offline
    U Offline
    uiharu
    wrote on last edited by girish
    #1

    In /app/data/env
    HASH_SALT is ChangeMeBy20+KeyLength

    Is this of any security concern?

    Also, on a Monica instance upgraded from earlier versions, the APP_KEY also appeared to be an unchanged default. I've since reinstalled the app.

    Thanks 🙂

    1 Reply Last reply
    0
    • nebulonN Offline
      nebulonN Offline
      nebulon
      Staff
      wrote on last edited by
      #2

      The HASH_SALT does look a bit concerning, have to look into this.
      The APP_KEY is now generated on first startup and thus unique to your installation. If you want to recreate it, you have to run php artisan db:seed --class ActivityTypesTableSeeder --force from within a terminal into the app (You can get this through the Cloudron dashbaord) However I don't think this is required, given that it is unique to your instance already.

      1 Reply Last reply
      1
      • girishG Offline
        girishG Offline
        girish
        Staff
        wrote on last edited by
        #3

        https://github.com/monicahq/monica/issues/381 is the security concern.

        Using the ID can allow people to get a very good sense of how many users are on the system and the amount of contacts. It also is information leakage because I know all the URLs for every contact.

I think using a hashid based on the contact id, the user creating it and maybe another factor would work great.
        1 Reply Last reply
        0

        Hello! It looks like you're interested in this conversation, but you don't have an account yet.

        Getting fed up of having to scroll through the same posts each visit? When you register for an account, you'll always come back to exactly where you were before, and choose to be notified of new replies (either via email, or push notification). You'll also be able to save bookmarks and upvote posts to show your appreciation to other community members.

        With your input, this post could be even better 💗

        Register Login
        Reply
        • Reply as topic
        Log in to reply
        • Oldest to Newest
        • Newest to Oldest
        • Most Votes

        • Login
        • Don't have an account? Register
        • Login or register to search.
        • First post
          Last post
        0
        • Categories
        • Recent
        • Tags
        • Popular
        • Bookmarks
        • Search