Add warning about crypt/itsdangeroussecret.bin.

You should not leak that file, really.

diff --git a/docs/source/pluginwriter/api.rst b/docs/source/pluginwriter/api.rst
index 3a75d455611f6120b7a83442725875b3a0cef975..6323f71307f7947ee53e5e55a09ac4057e747122 100644 (file)
--- a/docs/source/pluginwriter/api.rst
+++ b/docs/source/pluginwriter/api.rst
@@ -31,4 +31,4 @@ Please check the release notes for updates!
 .. automodule:: mediagoblin.tools.pluginapi
    :members: get_config, register_routes, register_template_path,
              register_template_hooks, get_hook_templates,
-             hook_handle, hook_runall, hook_transform,
+             hook_handle, hook_runall, hook_transform

diff --git a/docs/source/siteadmin/deploying.rst b/docs/source/siteadmin/deploying.rst
index 77e6003795a7272b8d850e080b7572c8e803eca7..f2f71e01c2042064cc1c3ab22faa9dae249a00ec 100644 (file)
--- a/docs/source/siteadmin/deploying.rst
+++ b/docs/source/siteadmin/deploying.rst
@@ -345,3 +345,17 @@ Visit the site you've set up in your browser by visiting
    smaller deployments. However, for larger production deployments
    with larger processing requirements, see the
    ":doc:`production-deployments`" documentation.
+
+
+Security Considerations
+~~~~~~~~~~~~~~~~~~~~~~~
+
+.. warning::
+
+   The directory ``user_dev/crypto/`` contains some very
+   sensitive files.
+   Especially the ``itsdangeroussecret.bin`` is very important
+   for session security. Make sure not to leak its contents anywhere.
+   If the contents gets leaked nevertheless, delete your file
+   and restart the server, so that it creates a new secret key.
+   All previous sessions will be invalifated then.