Django SECRET KEY

[Kegan Ronholt]

What is the best practice for hiding SECRET key in settings.py in production. I am finding all sorts of different ways to do it, but none seem to work.

[Abhishek Choudhury]

I use the Environment variable that is in Windows and later in the script I pull the values using os.environ.get('Key_Name')  #Since this is a dictionary, we use '' " . 

  

With Best Regards,

Abhishek Choudhury

Ph. No.: +91 7903717967

LinkedIN:  https://www.linkedin.com/in/yesabhishek/

On Wed, Nov 4, 2020 at 8:30 PM Kegan Ronholt <kronh...@gmail.com> wrote:

What is the best practice for hiding SECRET key in settings.py in production. I am finding all sorts of different ways to do it, but none seem to work.

--
You received this message because you are subscribed to the Google Groups "Django users" group.
To unsubscribe from this group and stop receiving emails from it, send an email to django-users...@googlegroups.com.
To view this discussion on the web visit https://groups.google.com/d/msgid/django-users/6660766c-6ed4-4500-9006-c8289158f749n%40googlegroups.com.

[Mike Dewhirst]

I keep it in a file left out of the repository but in a "standard"
location known to the web server.

I have a simple utility to read the file into a list and just use a list
item as the secret key. I like it because there are typicaly half a
dozen different secrets per project. They include database credentials,
email server details, captcha keys and so on. It is handy having a
system to get all such stuff without needing to store it unsafely. I
also like using the top few lines for credentials and lower lines for
comments.

My standard location for such files includes a directory name based on
project name established in the settings so I don't have to think too
hard to manage credentials of any sort when creating new projects.

My view is that the only way secrecy can be compromised is if the server
itself is pwned. At that point you have to start again anyway.

Cheers

Mike

>
>
> --
> You received this message because you are subscribed to the Google
> Groups "Django users" group.
> To unsubscribe from this group and stop receiving emails from it, send
> an email to django-users...@googlegroups.com

> <mailto:django-users...@googlegroups.com>.

> To view this discussion on the web visit
> https://groups.google.com/d/msgid/django-users/6660766c-6ed4-4500-9006-c8289158f749n%40googlegroups.com

> <https://groups.google.com/d/msgid/django-users/6660766c-6ed4-4500-9006-c8289158f749n%40googlegroups.com?utm_medium=email&utm_source=footer>.


--
Signed email is an absolute defence against phishing. This email has
been signed with my private key. If you import my public key you can
automatically decrypt my signature and be sure it came from me. Just
ask and I'll send it to you. Your email software can handle signing.

[Michael Rohan]

Hi Folks,

An extension of this local file is the project django-yamlconf (See https://django-yamlconf.readthedocs.io/en/latest/).  It allows general over-ride of settings.  It is my project (full disclosure).

Take care,

Michael.

To unsubscribe from this group and stop receiving emails from it, send an email to django-users...@googlegroups.com.
To view this discussion on the web visit https://groups.google.com/d/msgid/django-users/ad2ead73-7a13-b5ac-ee10-cf60edc92323%40dewhirst.com.au.

--

Michael Rohan
mro...@acm.org