Cloudron makes it easy to run web apps like WordPress, Nextcloud, GitLab on your server. Find out more or install now.



  • In /app/data/env
    HASH_SALT is ChangeMeBy20+KeyLength

    Is this of any security concern?

    Also, on a Monica instance upgraded from earlier versions, the APP_KEY also appeared to be an unchanged default. I've since reinstalled the app.

    Thanks 🙂

  • Staff

    The HASH_SALT does look a bit concerning, have to look into this.
    The APP_KEY is now generated on first startup and thus unique to your installation. If you want to recreate it, you have to run php artisan db:seed --class ActivityTypesTableSeeder --force from within a terminal into the app (You can get this through the Cloudron dashbaord) However I don't think this is required, given that it is unique to your instance already.

  • Staff

    https://github.com/monicahq/monica/issues/381 is the security concern.

    Using the ID can allow people to get a very good sense of how many users are on the system and the amount of contacts. It also is information leakage because I know all the URLs for every contact.
    
    I think using a hashid based on the contact id, the user creating it and maybe another factor would work great.