[SW-295] Remove default static secret key from the base settings

[fuomag9]

The-zoo is vulnerable to a cryptography issue since the Django's SECRET_KEY in settings.py variable will fallback to mucho secretto if no SECRET_KEY environment variable is provided when deploying the webserver.

Steps To Reproduce:

• Deploy the-zoo without providing a SECRET_KEY environment variable
• Django's SECRET_KEY will default to mucho secretto as per line 79 in settings.py

Vulnerable line: SECRET_KEY = env("SECRET_KEY", default="mucho secretto")

Impact:

Running Django with a known SECRET_KEY defeats many of Django’s security protections, and can lead to privilege escalation and remote code execution vulnerabilities.

Remediation:

Preventing the start or generating a random key for every run might be a better practice

[aexvir]

👋 Hi @fuomag9 , thanks for raising awareness on this issue

I agree that specifying a default secret key might end up causing issues to other people wanting to deploy this project, I believe it was set up mainly to facilitate local development, but we can definitely set it up in the docker-compose.yml file instead of the settings.py file to avoid this.