From aab03501c2edda84dc35b704ff5209db054f9407 Mon Sep 17 00:00:00 2001
From: Trenton H <797416+stumpylog@users.noreply.github.com>
Date: Thu, 23 Apr 2026 09:11:41 -0700
Subject: [PATCH] Security: Rejects a default secret key where the user did
 not, in fact, change-me (#12630)

---
 src/paperless/settings/__init__.py | 7 ++++---
 1 file changed, 4 insertions(+), 3 deletions(-)

diff --git a/src/paperless/settings/__init__.py b/src/paperless/settings/__init__.py
index 6f76d3499..79dd98ee3 100644
--- a/src/paperless/settings/__init__.py
+++ b/src/paperless/settings/__init__.py
@@ -463,10 +463,11 @@ SECURE_PROXY_SSL_HEADER = (
     else None
 )
 
-SECRET_KEY = os.getenv("PAPERLESS_SECRET_KEY", "")
-if not SECRET_KEY:  # pragma: no cover
+SECRET_KEY = os.getenv("PAPERLESS_SECRET_KEY")
+_INSECURE_SECRET_KEYS = {None, "", "change-me"}
+if not DEBUG and SECRET_KEY in _INSECURE_SECRET_KEYS:  # pragma: no cover
     raise ImproperlyConfigured(
-        "PAPERLESS_SECRET_KEY is not set. "
+        "PAPERLESS_SECRET_KEY is not set or is the default 'change-me' value. "
         "A unique, secret key is required for secure operation. "
         'Generate one with: python3 -c "import secrets; print(secrets.token_urlsafe(64))"',
     )