Django SECRET KEY

Previous Topic Next Topic
 
classic Classic list List threaded Threaded
4 messages Options
Reply | Threaded
Open this post in threaded view
|

Django SECRET KEY

Kegan Ronholt
What is the best practice for hiding SECRET key in settings.py in production. I am finding all sorts of different ways to do it, but none seem to work.


--
You received this message because you are subscribed to the Google Groups "Django users" group.
To unsubscribe from this group and stop receiving emails from it, send an email to [hidden email].
To view this discussion on the web visit https://groups.google.com/d/msgid/django-users/6660766c-6ed4-4500-9006-c8289158f749n%40googlegroups.com.
Reply | Threaded
Open this post in threaded view
|

Re: Django SECRET KEY

Abhishek Choudhury
I use the Environment variable that is in Windows and later in the script I pull the values using os.environ.get('Key_Name')  #Since this is a dictionary, we use '' " . 
  
With Best Regards,
Abhishek Choudhury
Ph. No.: +91 7903717967





On Wed, Nov 4, 2020 at 8:30 PM Kegan Ronholt <[hidden email]> wrote:
What is the best practice for hiding SECRET key in settings.py in production. I am finding all sorts of different ways to do it, but none seem to work.


--
You received this message because you are subscribed to the Google Groups "Django users" group.
To unsubscribe from this group and stop receiving emails from it, send an email to [hidden email].
To view this discussion on the web visit https://groups.google.com/d/msgid/django-users/6660766c-6ed4-4500-9006-c8289158f749n%40googlegroups.com.

--
You received this message because you are subscribed to the Google Groups "Django users" group.
To unsubscribe from this group and stop receiving emails from it, send an email to [hidden email].
To view this discussion on the web visit https://groups.google.com/d/msgid/django-users/CA%2B3kJUZWS%3D_UWYLXuYs8nncVUeo_MDG8jbBzshXg1_k_houZ4w%40mail.gmail.com.
Reply | Threaded
Open this post in threaded view
|

Re: Django SECRET KEY

Mike Dewhirst-3
In reply to this post by Kegan Ronholt
On 5/11/2020 1:54 am, Kegan Ronholt wrote:
> What is the best practice for hiding SECRET key in settings.py in
> production. I am finding all sorts of different ways to do it, but
> none seem to work.

I keep it in a file left out of the repository but in a "standard"
location known to the web server.

I have a simple utility to read the file into a list and just use a list
item as the secret key. I like it because there are typicaly half a
dozen different secrets per project. They include database credentials,
email server details, captcha keys and so on. It is handy having a
system to get all such stuff without needing to store it unsafely. I
also like using the top few lines for credentials and lower lines for
comments.

My standard location for such files includes a directory name based on
project name established in the settings so I don't have to think too
hard to manage credentials of any sort when creating new projects.

My view is that the only way secrecy can be compromised is if the server
itself is pwned. At that point you have to start again anyway.

Cheers

Mike

>
>
> --
> You received this message because you are subscribed to the Google
> Groups "Django users" group.
> To unsubscribe from this group and stop receiving emails from it, send
> an email to [hidden email]
> <mailto:[hidden email]>.
> To view this discussion on the web visit
> https://groups.google.com/d/msgid/django-users/6660766c-6ed4-4500-9006-c8289158f749n%40googlegroups.com
> <https://groups.google.com/d/msgid/django-users/6660766c-6ed4-4500-9006-c8289158f749n%40googlegroups.com?utm_medium=email&utm_source=footer>.


--
Signed email is an absolute defence against phishing. This email has
been signed with my private key. If you import my public key you can
automatically decrypt my signature and be sure it came from me. Just
ask and I'll send it to you. Your email software can handle signing.

--
You received this message because you are subscribed to the Google Groups "Django users" group.
To unsubscribe from this group and stop receiving emails from it, send an email to [hidden email].
To view this discussion on the web visit https://groups.google.com/d/msgid/django-users/ad2ead73-7a13-b5ac-ee10-cf60edc92323%40dewhirst.com.au.
Reply | Threaded
Open this post in threaded view
|

Re: Django SECRET KEY

Michael Rohan-2
Hi Folks,

An extension of this local file is the project django-yamlconf (See https://django-yamlconf.readthedocs.io/en/latest/).  It allows general over-ride of settings.  It is my project (full disclosure).

Take care,
Michael.

On Wed, Nov 4, 2020 at 3:51 PM Mike Dewhirst <[hidden email]> wrote:
On 5/11/2020 1:54 am, Kegan Ronholt wrote:
> What is the best practice for hiding SECRET key in settings.py in
> production. I am finding all sorts of different ways to do it, but
> none seem to work.

I keep it in a file left out of the repository but in a "standard"
location known to the web server.

I have a simple utility to read the file into a list and just use a list
item as the secret key. I like it because there are typicaly half a
dozen different secrets per project. They include database credentials,
email server details, captcha keys and so on. It is handy having a
system to get all such stuff without needing to store it unsafely. I
also like using the top few lines for credentials and lower lines for
comments.

My standard location for such files includes a directory name based on
project name established in the settings so I don't have to think too
hard to manage credentials of any sort when creating new projects.

My view is that the only way secrecy can be compromised is if the server
itself is pwned. At that point you have to start again anyway.

Cheers

Mike

>
>
> --
> You received this message because you are subscribed to the Google
> Groups "Django users" group.
> To unsubscribe from this group and stop receiving emails from it, send
> an email to [hidden email]
> <mailto:[hidden email]>.
> To view this discussion on the web visit
> https://groups.google.com/d/msgid/django-users/6660766c-6ed4-4500-9006-c8289158f749n%40googlegroups.com
> <https://groups.google.com/d/msgid/django-users/6660766c-6ed4-4500-9006-c8289158f749n%40googlegroups.com?utm_medium=email&utm_source=footer>.


--
Signed email is an absolute defence against phishing. This email has
been signed with my private key. If you import my public key you can
automatically decrypt my signature and be sure it came from me. Just
ask and I'll send it to you. Your email software can handle signing.

--
You received this message because you are subscribed to the Google Groups "Django users" group.
To unsubscribe from this group and stop receiving emails from it, send an email to [hidden email].
To view this discussion on the web visit https://groups.google.com/d/msgid/django-users/ad2ead73-7a13-b5ac-ee10-cf60edc92323%40dewhirst.com.au.


--
Michael Rohan
[hidden email]

--
You received this message because you are subscribed to the Google Groups "Django users" group.
To unsubscribe from this group and stop receiving emails from it, send an email to [hidden email].
To view this discussion on the web visit https://groups.google.com/d/msgid/django-users/CAOCsNFiQ%2BoTW-gSjh37jg0CBvFOw6kc3jrMvfDTB15LtP0BLiQ%40mail.gmail.com.