craftcms/craft

Security key variable removed from config/general.php

robzor opened this issue · 2 comments

robzor commented

Description

Hi there,

In this commit:
34e84a1

You have removed the var:
'securityKey' => App::env('CRAFT_SECURITY_KEY'),

And I can't find any documentation to explain why this change has been made. I understand that you've renamed all the .env vars that are created to have a CRAFT_ prefix, but where is the security key now referenced? Is it just an assumed global type thing?

Servd (the hosting company) currently inject a SECURITY_KEY variable into a dynamic .env file, so I've let them know it should have a CRAFT_ prefix, as I was getting this deprecation warning on their servers:

"The auto-generated validation key stored at /var/www/html/storage/runtime/validation.key has been deprecated. Copy its value to the securityKey config setting in config/general.php."

Additional info

  • Craft version: 4.0.4
  • PHP version: 8.0.17
jamesmacwhite commented

The reason is because of this here:

https://craftcms.com/docs/4.x/config/#config-environment-variables

Craft’s general config settings and database connection settings can be defined exclusively by environment variables using a CRAFT_ or CRAFT_DB_ prefix respectively.

Combine the prefix with the config setting in screaming snake case(opens new window). The allowUpdates setting, for example, would be CRAFT_ALLOW_UPDATES. The database port setting would be CRAFT_DB_PORT.

In Craft CMS 4, any general config or database settings key can be overridden by an environment following the naming convention described. You no longer have to define it in the general config file itself, if you declare the environment variable matching the name format.

So the removal of the security key, is down to the fact Craft will look for CRAFT_SECURITY_KEY or any environment variable matching the convention i.e. CRAFT_ALLOW_UPDATES, without having to set it in general config at all now. You can of course still set it to something else, but it just allows less work now. The requirement is that it must be prefixed with CRAFT_ to be automatically detected, otherwise you'd have to define SECURITY_KEY and set in your general config.

I would assume it's because creating environment variables and then having to define them in a config file is a little bit awkward, so Craft 4 basically now checks for the presence of any CRAFT_ environment variables to save you the time.

  • 👍1
robzor commented

Hi @jamesmacwhite thanks for getting back to me and providing the context for the change, much appreciated!