From cbb6c36692f7d882e9026597624c0eb38e01f9cb Mon Sep 17 00:00:00 2001
From: David Lord <davidism@gmail.com>
Date: Sat, 29 Mar 2025 16:18:43 -0700
Subject: [PATCH] update docs about fallback order

---
 docs/config.rst | 9 ++++++---
 1 file changed, 6 insertions(+), 3 deletions(-)

diff --git a/docs/config.rst b/docs/config.rst
index 5695bbd0..e7d4410a 100644
--- a/docs/config.rst
+++ b/docs/config.rst
@@ -127,13 +127,16 @@ The following configuration values are used internally by Flask:
 
 .. py:data:: SECRET_KEY_FALLBACKS
 
-    A list of old secret keys that can still be used for unsigning, most recent
-    first. This allows a project to implement key rotation without invalidating
-    active sessions or other recently-signed secrets.
+    A list of old secret keys that can still be used for unsigning. This allows
+    a project to implement key rotation without invalidating active sessions or
+    other recently-signed secrets.
 
     Keys should be removed after an appropriate period of time, as checking each
     additional key adds some overhead.
 
+    Order should not matter, but the default implementation will test the last
+    key in the list first, so it might make sense to order oldest to newest.
+
     Flask's built-in secure cookie session supports this. Extensions that use
     :data:`SECRET_KEY` may not support this yet.