Search
Search

How to I hide my secret_key using virtualenv and Django?

Jon Kennedy Published at Dev
37
Jon Kennedy

I am using Django, python, virtualenv, virtualenvwrapper and Vagrant.

So far I have simply left my secret_key inside of the settings.py file. This works file for local files. However I have already placed my files in Git. I know this is not acceptable for production(Apache).

What is the correct way to go about hiding my secret_key?

Should I use virtualenv to hide it?

Alex Van Liew

There's a lot of different methods to hide secrets.

  1. Use another, non-versioned file.

    Create a new file secrets.py or what have you and put your secrets in that. Place it alongside your settings file and place everything secret in there; then in your settings file put from secrets import * at the top. Then, like Rahul said, add a .gitignore file and add secrets.py to this file so that it won't be committed.

    The disadvantage of this approach is that there is no source control at all on that file; if you lose it you're SOL.

  2. Use environment variables.

    Use the Apache SetEnv or PassEnv directives to pass environment variables to your process, then retrieve them with os.environ() in your settings file. This has the advantage in that in development, you can set new variables (as simply as VAR1=whatever VAR2=whatever ... ./manage.py runserver ...) or set them from whatever mechanism you use to launch your development project.

    The disadvantage is much the same; if you lose your Apache configs you're boned.

  3. Use a second repository in combination with method 1.

    Personally, I like the idea of having a dedicated secrets repository that you put all your secrets into and keep that repo under lock and key. Then as part of your deployment process, you can use git archive or another similar command to extract the proper keys for the place you're deploying to, and you can keep your secrets backed up and under version control easily. You can also add the appropriate files in the secrets repo to the .gitingore file of your site repository so that they don't accidentally get committed.

    The downside of this is that you have another extra repository and another deployment step. I think that's worth it, personally, but it's really up to you.

In general, the more secure you want it, the more inconvenient it's going to be to access those secrets. That's really a rule in general, though.

Collected from the Internet

Please contact [email protected] to delete if infringement.

edited at
0

Comments

0 comments
Login to comment

Related

Git/Heroku - How to hide my SECRET_KEY?

How to hide SECRET_KEY?

How to keep a SECRET_KEY secret in Django?

How to get read of django secret_key? is using get_random_secret_key() recommended?

SECRET_KEY error with Django using uWSGI

I added a SECRET_KEY config variable to my Django app on Heroku but now it won't work locally

In Django how to decrypt the session id in database and in cookie with my SECRET_KEY?

ImproperlyConfigured SECRET_KEY error using django-environ

Django SECRET_KEY on VPS

How can I safely hide my discord bot API key using Heroku?

How can I do to hide my div using react with components?

Purpose of Django setting ‘SECRET_KEY’

Purpose of Django setting ‘SECRET_KEY’

Effects of changing Django's SECRET_KEY

KeyError: 'SECRET_KEY' django migrate?

Dynamic SECRET_KEY in Django disadvantages

How to start a new project in django using virtualenv

How can I hide my API key stored within JavaScript?

How do I update value of my Secret created in Azure Key Vault using .Net SDK

Error in deploying Django app on Google cloud using appengine "django.core.exceptions.ImproperlyConfigured: Set the SECRET_KEY environment variable"

How to hide API key in a js file, i am using " axios" for requesting a url from js file and my application is not node based

How is Devise's secret_key used?

Django os.getenv('SECRET_KEY') throwing "The SECRET_KEY setting must not be empty."

Django SECRET_KEY : Copying hashed passwords into different Django project

How do I hide my username in irc?

How can I implement video chat in my website using Django?

Using Git?? : how to update my Django website I deployed by DigitalOcean

Using Django, how can I detect an admin in my javascript?

How can I view my HTML page in Python using Django

TOP Ranking

  1. 1

    Loopback Error: connect ECONNREFUSED 127.0.0.1:3306 (MAMP)

  2. 2

    Can't pre-populate phone number and message body in SMS link on iPhones when SMS app is not running in the background

  3. 3

    pump.io port in URL

  4. 4

    How to import an asset in swift using Bundle.main.path() in a react-native native module

  5. 5

    Failed to listen on localhost:8000 (reason: Cannot assign requested address)

  6. 6

    Spring Boot JPA PostgreSQL Web App - Internal Authentication Error

  7. 7

    Emulator wrong screen resolution in Android Studio 1.3

  8. 8

    3D Touch Peek Swipe Like Mail

  9. 9

    Double spacing in rmarkdown pdf

  10. 10

    Svchost high CPU from Microsoft.BingWeather app errors

  11. 11

    How to how increase/decrease compared to adjacent cell

  12. 12

    Using Response.Redirect with Friendly URLS in ASP.NET

  13. 13

    java.lang.NullPointerException: Cannot read the array length because "<local3>" is null

  14. 14

    BigQuery - concatenate ignoring NULL

  15. 15

    How to fix "pickle_module.load(f, **pickle_load_args) _pickle.UnpicklingError: invalid load key, '<'" using YOLOv3?

  16. 16

    ngClass error (Can't bind ngClass since it isn't a known property of div) in Angular 11.0.3

  17. 17

    Can a 32-bit antivirus program protect you from 64-bit threats

  18. 18

    Make a B+ Tree concurrent thread safe

  19. 19

    Bootstrap 5 Static Modal Still Closes when I Click Outside

  20. 20

    Vector input in shiny R and then use it

  21. 21

    Assembly definition can't resolve namespaces from external packages

HotTag

Archive