Hardcoded Django Secret Key in Calculator Project Exposes Sessions to Hijacking Risk

A critical security vulnerability has been identified in the `calculator` project's Django configuration, with a hardcoded SECRET_KEY directly embedded in the `settings.py` file. The flaw, mapped to CWE-798 (Use of Hard-coded Credentials), undermines cryptographic signing mechanisms protecting session cookies and password reset tokens. The exposed key—`django-insecure-ss%htkf71$0dfjf*_@l^u9y551+sou%=outz=cs+v(s9bb6+o^`—appears on line 23 of the file, alongside a warning comment urging developers to keep the key secret in production.

The vulnerability carries significant weight because the SECRET_KEY serves as the foundation for Django's cryptographic operations. An attacker who obtains this value could forge valid session cookies, allowing impersonation of any user whose sessions were signed with this key. Password reset functionality becomes similarly compromised, enabling unauthorized account takeover without access to the target's email. The additional presence of `DEBUG = True` in the same configuration file further elevates the risk by potentially exposing sensitive application internals if the service is publicly accessible.

The exposure pathways are numerous. If the repository is pushed to a public source, leaked through a supply chain compromise, or exposed via a developer's workstation, the key could be harvested and weaponized immediately. Organizations using this codebase should treat the current SECRET_KEY as compromised and implement emergency key rotation. Immediate remediation involves replacing the hardcoded value with environment variable references, disabling debug mode in production deployments, and establishing automated scanning pipelines to detect hardcoded secrets before they reach version control.