secret api keys
40 views
Skip to first unread message
john fabiani
Oct 26, 2022, 11:09:40 AM10/26/22
to django...@googlegroups.com
Hi,
Maybe a dumb question but if I add secret keys in my settings.py file
(or should it be placed) will they be protected from the front end side
(the part that is displayed to the user of the website).
For example I have a secret key to access Authorize Net. Will it be
protected from someone opening the website and using chrome to see the
source?
Johnf
Maybe a dumb question but if I add secret keys in my settings.py file
(or should it be placed) will they be protected from the front end side
(the part that is displayed to the user of the website).
For example I have a secret key to access Authorize Net. Will it be
protected from someone opening the website and using chrome to see the
source?
Johnf
Lakshyaraj Dash
Oct 26, 2022, 11:12:21 AM10/26/22
to django...@googlegroups.com
No one can see your secret keys. It's a far thought, no can can see on what language you server side is written in.
--
You received this message because you are subscribed to the Google Groups "Django users" group.
To unsubscribe from this group and stop receiving emails from it, send an email to django-users...@googlegroups.com.
To view this discussion on the web visit https://groups.google.com/d/msgid/django-users/eeb82d0a-f18d-c253-a613-24c685307f41%40jfcomputer.com.
Muhammad Juwaini Abdul Rahman
Oct 26, 2022, 7:34:58 PM10/26/22
to django...@googlegroups.com
People can't see it straight away.
However, let's say if you forgot to set debut = False, they can see it. Not straight away, but very trivial.
It is advisable to put your secret keys in external file (.env for example) and use library like django-environ to get the value.
Mike Dewhirst
Oct 27, 2022, 12:33:23 AM10/27/22
to django...@googlegroups.com
Not a dumb question but frequently asked.
There are two approaches - one is to export your
secrets as environment vars and read them from there. The other is
to keep them in disk files and read them as required.
In both cases the idea is to keep secrets out of
your code and thus out of your repo.
I prefer the latter approach.
Cheers
Mike
Mike Dewhirst
Oct 27, 2022, 12:45:42 AM10/27/22
to django...@googlegroups.com
On 27/10/2022 3:32 pm, Mike Dewhirst
wrote:
Not a dumb question but frequently asked.
There are two approaches - one is to export your secrets as environment vars and read them from there. The other is to keep them in disk files and read them as required.
In both cases the idea is to keep secrets out of your code and thus out of your repo.
I prefer the latter approach.
Further to that, the secrets are consumed by your code on the server
which constructs html from a template rendered with values inserted
by your code and sends that all to the browser which made the
request.
So if you don't include your secrets in your constructed html they won't appear in the browser and will remain secret.
My preferred approach (above) is only secure if the files containing the secrets are stored on the server in a location accessible to the web server (Apache perhaps in your case) but access is denied to a browser.
In my case, I use a "creds" directory which satisfies that scenario.
So if you don't include your secrets in your constructed html they won't appear in the browser and will remain secret.
My preferred approach (above) is only secure if the files containing the secrets are stored on the server in a location accessible to the web server (Apache perhaps in your case) but access is denied to a browser.
In my case, I use a "creds" directory which satisfies that scenario.
Cheers
Mike
Hi,-------- Original message --------From: john fabiani <jo...@jfcomputer.com>Date: 27/10/22 02:09 (GMT+10:00)Subject: secret api keys
Maybe a dumb question but if I add secret keys in my settings.py file
(or should it be placed) will they be protected from the front end side
(the part that is displayed to the user of the website).
For example I have a secret key to access Authorize Net. Will it be
protected from someone opening the website and using chrome to see the
source?
Johnf
--
You received this message because you are subscribed to the Google Groups "Django users" group.
To unsubscribe from this group and stop receiving emails from it, send an email to django-users...@googlegroups.com.
To view this discussion on the web visit https://groups.google.com/d/msgid/django-users/eeb82d0a-f18d-c253-a613-24c685307f41%40jfcomputer.com.
--
You received this message because you are subscribed to the Google Groups "Django users" group.
To unsubscribe from this group and stop receiving emails from it, send an email to django-users...@googlegroups.com.
To view this discussion on the web visit https://groups.google.com/d/msgid/django-users/6068b999-3cca-f4e3-cb58-493e08800187%40dewhirst.com.au.
-- Signed email is an absolute defence against phishing. This email has been signed with my private key. If you import my public key you can automatically decrypt my signature and be sure it came from me. Just ask and I'll send it to you. Your email software can handle signing.
Michael Rohan
Oct 27, 2022, 1:03:11 AM10/27/22
to django...@googlegroups.com
Hi,
This is one of the drivers for my package:
Externalize setting values to yaml files.
Take care,
Michael
To view this discussion on the web visit https://groups.google.com/d/msgid/django-users/51795697-9488-777d-a2de-53517c3e8f46%40dewhirst.com.au.
--
Michael Rohan
mro...@acm.org
mro...@acm.org
Rajesh Kr. Paul
Oct 27, 2022, 9:31:14 AM10/27/22
to django...@googlegroups.com
If you set debug=true, that's show only errors in url, views, and templates. Have no chance to show your secret key, which you placed in settings.py file.
To view this discussion on the web visit https://groups.google.com/d/msgid/django-users/CAFKhtoSOzw7DcJmnXOrszXrv5OZ9Dt%2BJ%3D%2BAQaJhGczGL3-e%3DQQ%40mail.gmail.com.
Reply all
Reply to author
Forward
0 new messages