Re: [Django] #37185: Update the deployment checklist docs to mention environment variables and secrets management (was: Update settings documentation topic with environment variable)

3 views
Skip to first unread message

Django

unread,
Jun 29, 2026, 8:39:59 AM (yesterday) Jun 29
to django-...@googlegroups.com
#37185: Update the deployment checklist docs to mention environment variables and
secrets management
--------------------------------------+------------------------------------
Reporter: Tim Schilling | Owner: (none)
Type: Cleanup/optimization | Status: new
Component: Documentation | Version: dev
Severity: Normal | Resolution:
Keywords: | Triage Stage: Accepted
Has patch: 0 | Needs documentation: 0
Needs tests: 0 | Patch needs improvement: 0
Easy pickings: 0 | UI/UX: 0
--------------------------------------+------------------------------------
Changes (by Natalia Bidart):

* resolution: wontfix =>
* stage: Unreviewed => Accepted
* status: closed => new
* summary: Update settings documentation topic with environment variable
=>
Update the deployment checklist docs to mention environment variables
and secrets management

Comment:

Replying to [comment:5 Tim Schilling]:
> I've done some research on what other frameworks have done and feel like
there's a better path than avoiding the topic altogether. Practically all
web frameworks that I looked at show how to use environment variables to
control their settings. Some do try to point people to other options, like
secrets manager or some type of encrypted file.

Hey Tim, thank you for the thorough research, I appreciate you taking the
time to share that.

> I think we can include environment variables, mention using a secrets
manager (maybe someone has a blog post we can reference here), and explain
the security concerns with environment variables and `.env` files (see
Laravel's security mention here:
https://laravel.com/docs/12.x/configuration#environment-file-security). It
definitely feels reasonable for us to mention the tools available to a
person.

The framing you describe in this last comment is one I can get behind. I
think the additions could go in the deployment checklist like you said in
the ticket description (not the settings ref, that's not the right place),
and should say plainly that the security concerns are real (env vars exist
in plain text, leak through process logs, crash reporters and child
process forks, and the pattern almost inevitably leads to .env files being
committed to version control). The documentation could then point people
toward secrets managers as a more robust alternative.

I'll adjust the title slightly to guide contributors. Thanks again!
--
Ticket URL: <https://code.djangoproject.com/ticket/37185#comment:6>
Django <https://code.djangoproject.com/>
The Web framework for perfectionists with deadlines.
Reply all
Reply to author
Forward
0 new messages