DevelopmentConfig has a hardcoded SECRET_KEY with no guard against accidental production use #2551
Description
In src/cryptoadvance/specter/config.py (line 220), the DevelopmentConfig class sets:
SECRET_KEY = "development key"This is a static, well-known string. Flask uses SECRET_KEY for signing session cookies and CSRF tokens. If someone accidentally runs the app with DevelopmentConfig in a non-localhost setup (which can happen if the config env variable isn't set properly, or during a rushed deployment), all session cookies become predictable. An attacker who knows this string could forge sessions.
ProductionConfig correctly uses secrets.token_urlsafe(16), so the production path is fine. But there's no runtime check or warning that tells the user "hey, you're running with a dev config on a non-localhost address, that's not safe."
A simple fix could be adding a warning log at startup if SECRET_KEY is set to a known default value and the server is not bound to localhost. Or even just adding a comment in the config making it more obvious that this should never be used outside of local development.