Add warning about crypt/itsdangeroussecret.bin.

You should not leak that file, really.

2 files changed, 15 insertions, 1 deletions

diff --git a/docs/source/pluginwriter/api.rst b/docs/source/pluginwriter/api.rst
index 3a75d455..6323f713 100644
--- a/docs/source/pluginwriter/api.rst
+++ b/docs/source/pluginwriter/api.rst
@@ -31,4 +31,4 @@ Please check the release notes for updates!
 .. automodule:: mediagoblin.tools.pluginapi
    :members: get_config, register_routes, register_template_path,
              register_template_hooks, get_hook_templates,
-             hook_handle, hook_runall, hook_transform,
+             hook_handle, hook_runall, hook_transform
diff --git a/docs/source/siteadmin/deploying.rst b/docs/source/siteadmin/deploying.rst
index 77e60037..f2f71e01 100644
--- a/docs/source/siteadmin/deploying.rst
+++ b/docs/source/siteadmin/deploying.rst
@@ -345,3 +345,17 @@ Visit the site you've set up in your browser by visiting
    smaller deployments. However, for larger production deployments
    with larger processing requirements, see the
    ":doc:`production-deployments`" documentation.
+
+
+Security Considerations
+~~~~~~~~~~~~~~~~~~~~~~~
+
+.. warning::
+
+   The directory ``user_dev/crypto/`` contains some very
+   sensitive files.
+   Especially the ``itsdangeroussecret.bin`` is very important
+   for session security. Make sure not to leak its contents anywhere.
+   If the contents gets leaked nevertheless, delete your file
+   and restart the server, so that it creates a new secret key.
+   All previous sessions will be invalifated then.